Chap 2: Cisco IOS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
2.1 Cisco IOS Access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Cisco IOS Access
Access Methods

Two methods to connect a PC to a network device to monitor or

configure
• Out-of-band management
• In-band management

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cisco IOS Access
Access Methods (Cont.)

❑ Methods to access the Command Line interface (CLI)

• Console port (Console) (out-of-band)

• Auxiliary port (AUX port) [Deprecated] (out-of-band)
• TTY (via a network interface) → using telnet, SSH (in-band)
• HTTPS, HTTP (via a network interface) (in-band)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Cisco IOS Access
Access Methods (Out-of-band)

Serial console cable USB console cable

❑ Console: A physical management port used to access a device in order to provide maintenance,
such as performing the initial configurations.
➢ Might be done if network connectivity is not possible Commonly done to initially configure a device
➢ Should be configured with passwords to prevent unauthorized access
➢ Device should be located in a secure room so console port can not be easily accessed
➢ The host accessing the device must be running terminal emulation software (PuTTY, Tera Term) and
must connect to the device using a console cable

❑ Auxiliary (AUX) port: can be attached to a modem

➢ Not all network devices have auxiliary ports
➢ At times, can be used similarly to a console port © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco IOS Access
Access Methods (In-band)
In-band management
• Uses a network connection and an IP address to connect
to the network device.
• Telnet, HTTP, or SSH used (connect to the application
layer of the OSI model)
Network devices allow telnet/SSH via their virtual terminals
(TTY)
Most network devices have at least 5 TTY connections (vty 0, vty 1 … vty 4). Others have 15
Each Telnet or SSH session requires one TTY

❑ Telnet – Establishes an insecure remote CLI connection to a device over the network. (Note: User
authentication, passwords and commands are sent over the network in plaintext.)
❑ Secure Shell (SSH) – Establishes a secure remote CLI connection to a device, through a virtual
interface, over a network. (Note: This is the recommended method for remotely connecting to a device.)

➢ The host accessing the device must be running terminal emulation software (PuTTY, Tera Term) and must
be able to reach the device via its IP address. → Network connectivity© 2016
is aCiscomust.
and/or its affiliates. All rights reserved. Cisco Confidential 6
Cisco IOS Access
Terminal Emulation Programs
• Terminal emulation programs are used to connect to a network device by either a console
port or by an SSH/Telnet connection.
• There are several terminal emulation programs to chose from such as PuTTY, Tera Term
and SecureCRT.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco IOS Access
Router interfaces (Cables)

Used in WANs
Used in LANs

Ethernet Cable Smart Serial Cable

Connect The router is typically a DTE device

a host to a switch
a Switch to another Switch The cable connects the serial interface of a router
a Switch to a router to a CSU/DSU device (DCE).
a Router to a Router
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
2.2 IOS Navigation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
IOS Navigation
Primary Command Modes

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
IOS Navigation
Primary Command Modes
User EXEC Mode:
• Allows access to only a limited
number of basic monitoring
commands
• Is often referred to as view-
only omde
• Identified by the CLI prompt
that ends with the > symbol

Privileged EXEC Mode:

• Allows access to all
commands and features
• Identified by the CLI prompt
that ends with the # symbol

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
IOS Navigation
Configuration Mode and Subconfiguration Modes

Global Configuration Mode:

• Used to access
configuration options on the
device

Line Configuration Mode:

• Used to configure console,
SSH, Telnet or AUX access

Interface Configuration Mode:

• Used to configure a switch
port or router interface
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IOS Navigation
Navigation Between IOS Modes
▪ Privileged EXEC Mode:
• To move from user EXEC mode to privilege
EXEC mode, use the enabled command.
▪ Global Configuration Mode:
• To move in and out of global configuration
mode, use the configure terminal
command. To return to privilege EXEC
mode, use the exit command.
▪ Line Configuration Mode:
• To move in and out of line configuration
mode, use the line command followed by
the management line type. To return to
global configuration mode, use the exit
command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IOS Navigation
Navigation Between IOS Modes (Cont.)
Subconfiguration Modes:
• To move out of any subconfiguration mode to
get back to global configuration mode, use
the exit command. To return to privilege
EXEC mode, use the end command or key
combination Ctrl +Z.

• To move directly from one subconfiguration

mode to another, type in the desired
subconfiguration mode command. In the
example, the command prompt changes from
(config-line)# to (config-if)#.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
IOS Navigation
Navigation Between IOS Modes (Cont.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
2.3 The Command Structure

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
The Command Structure
Basic IOS Command Structure

• Keyword – This is a specific parameter defined in the operating system (in the figure, ip
protocols).

• Argument - This is not predefined; it is a value or variable defined by the user (in the
figure, [Link]).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
The Command Structure
IOS Command Syntax Check
A command might require one or more arguments. To determine the keywords
and arguments required for a command, refer to the command syntax.
• Boldface text indicates commands and keywords that are entered as shown.
• Italic text indicates an argument for which the user provides the value.

Convention Description
Boldface text indicates commands and keywords that you enter literally as
boldface
shown.
italics Italic text indicates arguments for which you supply values.

[x] Square brackets indicate an optional element (keyword or argument).

{x} Braces indicate a required element (keyword or argument).

Braces and vertical lines within square brackets indicate a required choice
[x {y | z }] within an optional element. Spaces are used to clearly delineate parts of the
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
The Command Structure
IOS Command Syntax Check (Cont.)
▪ The command syntax provides the pattern, or format, that must be used when
entering a command.

▪ The command is ping and the user-defined

argument is the ip-address of the
destination device. For example, ping
[Link].
▪ The command is traceroute and the
user-defined argument is the ip-
address of the destination device. For
example, traceroute [Link].

▪ If a command is complex with multiple arguments, you may see it represented like this:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
The Command Structure
IOS Help Features
The IOS has two forms of help available: context-sensitive help and command
syntax check.
• Context-sensitive help enables you to • Command syntax check verifies that
quickly find answers to these questions: a valid command was entered by
• Which commands are available in each command the user.
mode? • If the interpreter cannot understand the
• Which commands start with specific characters or command being entered, it will provide
group of characters? feedback describing what is wrong with
the command.
• Which arguments and keywords are available to
particular commands?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
The Command Structure
Hot Keys and Shortcuts
• The IOS CLI provides hot keys and shortcuts that make configuring, monitoring, and
troubleshooting easier.
• Commands and keywords can be shortened to the minimum number of characters
that identify a unique selection. For example, the configure command can be
shortened to conf because configure is the only command that begins with conf.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
The Command Structure
Hot Keys and Shortcuts (Cont.)
▪ The table below is a brief list of keystrokes to enhance command line editing.

Keystroke Description

Tab Completes a partial command name entry.

Backspace Erases the character to the left of the cursor.

Left Arrow or Ctrl+B Moves the cursor one character to the left.

Right Arrow or Ctrl+F Moves the cursor one character to the right.

Recalls the commands in the history buffer, beginning with

Up Arrow or Ctrl+P
the most recent commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
The Command Structure
Hot Keys and Shortcuts (Cont.)
• When a command output produces more text
than can be displayed in a terminal window, • The table below lists commands that can
the IOS will display a “--More--” prompt. The be used to exit out of an operation.
table below describes the keystrokes that can
be used when this prompt is displayed.

Keystroke Description Keystroke Description

When in any configuration mode, ends the
Enter Key Displays the next line. Ctrl-C configuration mode and returns to privileged EXEC
mode.
When in any configuration mode, ends the
Space Bar Displays the next screen. Ctrl-Z configuration mode and returns to privileged EXEC
mode.
Ends the display string, returning to All-purpose break sequence used to abort DNS
Any other key Ctrl-Shift-6
privileged EXEC mode. lookups, traceroutes, pings, etc.

Note: To see more hot keys and shortcuts refer to 2.3.5.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
2.4 Basic Device Configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Basic Device Configuration
Device Names
• The first configuration command on any device should be to
give it a unique hostname.
• By default, all devices are assigned a factory default name.
For example, a Cisco IOS switch is "Switch.”

• Guideline for naming devices:

• Start with a letter
• Contain no spaces
• End with a letter or digit
Note: To return the switch to the default
• Use only letters, digits, and dashes
prompt, use the no hostname global
• Be less than 64 characters in length config command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Basic Device Configuration
Password Guidelines
• The use of weak or easily guessed passwords are a security concern.
• All networking devices should limit administrative access by securing privileged EXEC,
user EXEC, and remote Telnet access with passwords. In addition, all passwords should
be encrypted and legal notifications provided.

• Password Guidelines:
• Use passwords that are more than eight
characters in length.
• Use a combination of upper and lowercase
letters, numbers, special characters, and/or
numeric sequences. Note: Most of the labs in this course use simple
passwords such as cisco or class. These passwords
• Avoid using the same password for all devices. are considered weak and easily guessable and should
• Do not use common words because they are be avoided in production environments.
easily guessed.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Basic Device Configuration
Configure Passwords
Securing user EXEC mode access:
• First enter line console configuration mode
using the line console 0 command in global
configuration mode.
• Next, specify the user EXEC mode password
using the password password command.
• Finally, enable user EXEC access using
the login command.

Securing privileged EXEC mode access:

• First enter global configuration mode.
• Next, use the enable secret password command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Basic Device Configuration
Configure Passwords (Cont.)
Securing VTY line access:
• First enter line VTY configuration mode
using the line vty 0 15 command in
global configuration mode.
• Next, specify the VTY password using
the password password command.
• Finally, enable VTY access using
the login command.

▪ Note: VTY lines enable remote access using Telnet or SSH to the device. Many Cisco
switches support up to 16 VTY lines that are numbered 0 to 15.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Basic Device Configuration
Encrypt Passwords
▪ The startup-config and running-config files ▪ Use the show running-config command
display most passwords in plaintext. to verify that the passwords on the device
are now encrypted.
▪ To encrypt all plaintext passwords, use
the service password-encryption global config
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Basic Device Configuration
Banner Messages
▪ A banner message is important to warn
unauthorized personnel from attempting
to access the device.
▪ To create a banner message of the day
on a network device, use the banner The banner will be displayed on attempts to access the device.
motd # the message of the day # global
config command.

Note: The “#” in the command syntax is called

the delimiting character. It is entered before
and after the message.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
2.5 Save Configurations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Save Configurations
Configuration Files
▪ There are two system files that store the device configuration:
• startup-config - This is the saved configuration file that is stored in NVRAM. It contains all the commands that will be
used by the device upon startup or reboot. Flash does not lose its contents when the device is powered off.
• running-config - This is stored in Random Access Memory (RAM). It reflects the current configuration. Modifying a
running configuration affects the operation of a Cisco device immediately. RAM is volatile memory. It loses all of its
content when the device is powered off or restarted.
• To save changes made to the running configuration to the startup configuration file, use the copy running-config
startup-config privileged EXEC mode command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Save Configurations
Alter the Running Configurations
If changes made to the running config do not
have the desired effect and the running-config
has not yet been saved, you can restore the
device to its previous configuration. To do this
you can:
• Remove the changed commands individually.
• Reload the device using the reload command
in privilege EXEC mode. Note: This will cause
the device to briefly go offline, leading to
network downtime.
If the undesired changes were saved to the
startup-config, it may be necessary to clear all
the configurations using the erase startup-
config command in privilege EXEC mode.
• After erasing the startup-config, reload the
device to clear the running-config file from
RAM.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
2.6 Ports and Addresses

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Ports and Addresses
IP Addresses
• The use of IP addresses is the primary means of
enabling devices to locate one another and
establish end-to-end communication on the
internet.
• The structure of an IPv4 address is called dotted
decimal notation and is represented by four
decimal numbers between 0 and 255.
• An IPv4 subnet mask is a 32-bit value that
differentiates the network portion of the address
from the host portion. Coupled with the IPv4
address, the subnet mask determines to which
subnet the device is a member.
• The default gateway address is the IP address of
the router that the host will use to access remote
networks, including the internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Ports and Addresses
IP Addresses (Cont.)
• IPv6 addresses are 128 bits in length and
written as a string of hexadecimal values.
Every four bits is represented by a single
hexadecimal digit; for a total of 32
hexadecimal values. Groups of four
hexadecimal digits are separated by a colon
“:”.
• IPv6 addresses are not case-sensitive and
can be written in either lowercase or
uppercase.

Note: IP in this course refers to both the IPv4 and IPv6

protocols. IPv6 is the most recent version of IP and is
replacing the more common IPv4.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Ports and Addresses
Interfaces and Ports
• Network communications depend on end
user device interfaces, networking device
interfaces, and the cables that connect
them.
• Types of network media include twisted-
pair copper cables, fiber-optic cables,
coaxial cables, or wireless.
• Different types of network media have
different features and benefits. Some of
the differences between various types of
media include:
• Distance the media can successfully carry a signal
• Environment in which the media is to be installed
• Amount of data and the speed at which it must be
transmitted
• Cost of the media and installation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
2.7 Configure IP Addressing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Configure IP Addressing
Manual IP Address Configuration for End Devices
• End devices on the network need an IP address in
order to communicate with other devices on the
network.
• IPv4 address information can be entered into end
devices manually, or automatically using Dynamic
Host Configuration Protocol (DHCP).
• To manually configure an IPv4 address on a Windows
PC, open the Control Panel > Network Sharing
Center > Change adapter settings and choose the
adapter. Next right-click and select Properties to
display the Local Area Connection Properties.
• Next, click Properties to open the Internet Protocol
Version 4 (TCP/IPv4) Properties window. Then
configure the IPv4 address and subnet mask
information, and default gateway. Note: IPv6 addressing and configuration
options are similar to IPv4.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configure IP Addressing
Automatic IP Address Configuration for End Devices
• DHCP enables automatic IPv4 address
configuration for every end device that is
DHCP-enabled.
• End devices are typically by default
using DHCP for automatic IPv4 address
configuration.
• To configure DHCP on a Windows PC, open
the Control Panel > Network Sharing
Center > Change adapter settings and
choose the adapter. Next right-click and
select Properties to display the Local Area
Connection Properties.
• Next, click Properties to open the Internet
Protocol Version 4 (TCP/IPv4)
Properties window, then select Obtain an Note: IPv6 uses DHCPv6 and SLAAC (Stateless Address
IP address automatically and Obtain DNS Autoconfiguration) for dynamic address allocation.
server address automatically.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Configure a Switch with Initial Settings
Switch Management Access
To prepare a switch for remote
management access, the switch must be
configured with an IP address and a
subnet mask.
• To manage the switch from a remote
network, the switch must be configured
with a default gateway. This is very
similar to configuring the IP address
information on host devices.
• In the figure, the switch virtual interface
(SVI) on S1 should be assigned an IP
address. The SVI is a virtual interface,
not a physical port on the switch. A
console cable is used to connect to a
PC so that the switch can be initially
configured.
➢ Assigning an IP address to the switch is OPTIONAL
➢ Layer 2 Switches do NOT need an IP address to forward
© 2016 Ethernet frames
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Configure IP Addressing
Switch Virtual Interface Configuration
To access the switch remotely (telnet, SSH..), an IP address and a subnet mask must be
configured on the SVI.
To configure an SVI on a switch:
• Enter the interface vlan 1 command in global configuration mode.
• Next assign an IPv4 address using the ip address ip-address subnet-mask command.
• Finally, enable the virtual interface using the no shutdown command. (administratively
enabling the interface)

➢ Assigning an IP address to the switch is OPTIONAL

➢ Layer 2 Switches do NOT need an IP address to forward Ethernet frames

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode for the
S1(config)# interface vlan 1
SVI.
Configure the management interface IPv4
S1(config-if)# ip address [Link] [Link]
address.
Enable the management interface. S1(config-if)# no shutdown

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup
S1# copy running-config startup-config
config.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 2: Configure the Default Gateway
• The switch should be configured with a default gateway if it will be managed remotely
from networks that are not directly connected.
• Note: Because, it will receive its default gateway information from a router advertisement (RA)
message, the switch does not require an IPv6 default gateway.

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Configure the default gateway for the switch. S1(config)# ip default-gateway [Link]

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Configure Interfaces
Configure Router Interfaces
Configuring a router interface includes issuing the following commands:

Router(config)# interface type-and-number

Router(config-if)# description description-text
Router(config-if)# ip address ipv4-address subnet-mask
Router(config-if)# ipv6 address ipv6-address/prefix-length
Router(config-if)# no shutdown

• It is a good practice to use the description command to add

information about the network connected to the interface.
• The no shutdown command activates the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Configure Interfaces
Configure Router Interfaces Example
The commands to configure interface G0/0/0 on R1 are shown here:

R1(config)# interface gigabitEthernet 0/0/0

R1(config-if)# description Link to LAN
R1(config-if)# ip address [Link] [Link]
R1(config-if)# ipv6 address [Link]/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 [Link].435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
*Aug 1 [Link].447: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Aug 1 [Link].447: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0,
changed state to up

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Configure Interfaces
Configure Router Interfaces Example (Cont.)
The commands to configure interface G0/0/1 on R1 are shown here:

R1(config)# interface gigabitEthernet 0/0/1

R1(config-if)# description Link to R2
R1(config-if)# ip address [Link] [Link]
R1(config-if)# ipv6 address [Link]/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 [Link].170: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Aug 1 [Link].171: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Aug 1 [Link].171: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1,
changed state to up

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Configure Interfaces
Verify Interface Configuration
To verify interface configuration use the show ip interface brief and
show ipv6 interface brief commands shown here:

R1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 [Link] YES manual up up
GigabitEthernet0/0/1 [Link] YES manual up up
Vlan1 unassigned YES unset administratively down down

R1# show ipv6 interface brief

GigabitEthernet0/0/0 [up/up]
FE80::201:C9FF:FE89:4501
[Link]
GigabitEthernet0/0/1 [up/up]
FE80::201:C9FF:FE89:4502
[Link]
Vlan1 [administratively down/down]
unassigned
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Configure Interfaces
Configure Verification Commands

The table summarizes show commands used to verify interface configuration.

Commands Description

show ip interface brief Displays all interfaces, their IP addresses, and their current
show ipv6 interface brief status.
show ip route Displays the contents of the IP routing tables stored in
show ipv6 route RAM.
show interfaces Displays statistics for all interfaces on the device. Only
displays the IPv4 addressing information.
show ip interfaces Displays the IPv4 statistics for all interfaces on a router.

show ipv6 interfaces Displays the IPv6 statistics for all interfaces on a router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Configure Interfaces
Configure Verification Commands (Cont.)
View status of all interfaces with the show ip interface brief and show ipv6 interface
brief commands, shown here:

R1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 [Link] YES manual up up
GigabitEthernet0/0/1 [Link] YES manual up up
Vlan1 unassigned YES unset administratively down down
R1#

R1# show ipv6 interface brief

GigabitEthernet0/0/0 [up/up]
FE80::201:C9FF:FE89:4501
[Link]
GigabitEthernet0/0/1 [up/up]
FE80::201:C9FF:FE89:4502
[Link]
Vlan1 [administratively down/down]
unassigned
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Configure the Default Gateway
Default Gateway on a Host
• The default gateway is used
when a host sends a packet to a
device on another network.
• The default gateway address is
generally the router interface
address attached to the local
network of the host.
• To reach PC3, PC1 addresses a
packet with the IPv4 address of
PC3, but forwards the packet to
its default gateway, the G0/0/0
interface of R1.
Note: The IP address of the host and the
router interface must be in the same network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Configure the Default Gateway
Default Gateway on a Switch

• A switch must have a

default gateway address
configured to remotely
manage the switch from
another network.
• To configure an IPv4
default gateway on a
switch, use the ip default-
gateway ip-address
global configuration
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
2.8 Configure Switch Ports

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Configure Switch Ports
Duplex Communication
• Full-duplex communication increases bandwidth efficiency by allowing both ends of a
connection to transmit and receive data simultaneously. This is also known as
bidirectional communication and it requires microsegmentation.
• A microsegmented LAN is created when a switch port has only one device connected
and is operating in full-duplex mode. There is no collision domain associated with a
switch port operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is unidirectional. Half-
duplex communication creates performance issues because data can flow in only one
direction at a time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In full-
duplex mode, the collision detection circuit on the NIC is disabled. Full-duplex offers
100 percent efficiency in both directions (transmitting and receiving). This results in a
doubling of the potential use of the stated bandwidth.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Configure Switch Ports
Configure Switch Ports at the Physical Layer
• Switch ports can be manually configured with specific duplex and speed settings. The respective
interface configuration commands are duplex and speed.
• The default setting for both duplex and speed for switch ports on Cisco Catalyst 2960 and 3560
switches is auto. The 10/100/1000 ports operate in either half- or full-duplex mode when they are
set to 10 or 100 Mbps and operate only in full-duplex mode when it is set to 1000 Mbps (1 Gbps).
• Autonegotiation is useful when the speed and duplex settings of the device connecting to the port
are unknown or may change. When connecting to known devices such as servers, dedicated
workstations, or network devices, a best practice is to manually set the speed and duplex
settings.
• When troubleshooting switch port issues, it is important that the duplex and speed settings are
checked.
Note: Mismatched settings for the duplex mode and speed of switch ports can cause connectivity
issues. Autonegotiation failure creates mismatched settings.

All fiber-optic ports, such as 1000BASE-SX ports, operate only at one preset speed and are always
full-duplex
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Configure Switch Ports
Configure Switch Ports at the Physical Layer (Cont.)

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode. S1(config)# interface FastEthernet 0/1

Configure the interface duplex. S1(config-if)# duplex full

Configure the interface speed. S1(config-if)# speed 100

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Configure Switch Ports
Auto-MDIX
• When automatic medium-dependent interface crossover (auto-MDIX) is enabled, the switch
interface automatically detects the required cable connection type (straight-through or
crossover) and configures the connection appropriately.
• When connecting to switches without the auto-MDIX feature, straight-through cables must
be used to connect to devices such as servers, workstations, or routers. Crossover cables
must be used to connect to other switches or repeaters.
• With auto-MDIX enabled, either type of cable can be used to connect to other devices, and
the interface automatically adjusts to communicate successfully.
• On newer Cisco switches, the mdix auto interface configuration mode command enables
the feature. When using auto-MDIX on an interface, the interface speed and duplex must be
set to auto so that the feature operates correctly.
Note: The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560
switches but is not available on the older Catalyst 2950 and Catalyst 3550 switches.
To examine the auto-MDIX setting for a specific interface, use the show controllers ethernet-
controller command with the phy keyword. To limit the output to lines referencing auto-MDIX,
use the include Auto-MDIX filter.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Configure Switch Ports
Switch Verification Commands
Task IOS Commands

Display interface status and configuration. S1# show interfaces [interface-id]

Display current startup configuration. S1# show startup-config

Display current running configuration. S1# show running-config

Display information about flash file system. S1# show flash

Display system hardware and software status. S1# show version

Display history of command entered. S1# show history

S1# show ip interface [interface-id]

Display IP information about an interface. OR
S1# show ipv6 interface [interface-id]
S1# show mac-address-table
Display the MAC address table. OR
S1# show mac address-table

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Configure Switch Ports
Verify Switch Port Configuration
The show running-config command can be used to verify that the switch has been correctly
configured. From the sample abbreviated output on S1, some important information is shown
in the figure:
• Fast Ethernet 0/18 interface configured with the management VLAN 99
• VLAN 99 configured with an IPv4 address of [Link] [Link]
• Default gateway set to [Link]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Configure Switch Ports
Verify Switch Port Configuration (Cont.)
The show interfaces command is another commonly used command, which displays status and
statistics information on the network interfaces of the switch. The show interfaces command is
frequently used when configuring and monitoring network devices.

The first line of the output for the show interfaces fastEthernet 0/18 command indicates that the
FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows
that the duplex is full and the speed is 100 Mbps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Configure Switch Ports
Network Access Layer Issues
The output from the show interfaces command is useful for detecting common media issues. One of
the most important parts of this output is the display of the line and data link protocol status, as shown
in the example.
The first parameter (FastEthernet0/18 is up) refers to the hardware layer and indicates whether the
interface is receiving a carrier detect signal. The second parameter (line protocol is up) refers to the
data link layer and indicates whether the data link layer protocol keepalives are being received.
Based on the output of the show interfaces command, possible problems can be fixed as follows:
• If the interface is up and the line protocol is down, a problem exists. There could be an encapsulation type mismatch, the
interface on the other end could be error-disabled, or there could be a hardware problem.
• If the line protocol and the interface are both down, a cable is not attached, or some other interface problem exists. For
example, in a back-to-back connection, the other end of the connection may be administratively down.
• If the interface is administratively down, it has been manually disabled (the shutdown command has been issued) in the
active configuration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Configure Switch Ports
Network Access Layer Issues (Cont.)
The show
interfaces command output
displays counters and
statistics for the
FastEthernet0/18 interface,
as shown here:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Configure Switch Ports
Network Access Layer Issues (Cont.)
Some media errors are not severe enough to cause the circuit to fail but do cause network
performance issues. The table explains some of these common errors which can be detected using
the show interfaces command.
Error Type Description

Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.

Packets that are discarded because they are smaller than the minimum packet size for the medium.
Runts
For instance, any Ethernet packet that is less than 64 bytes is considered a runt.
Packets that are discarded because they exceed the maximum packet size for the medium. For
Giants
example, any Ethernet packet that is greater than 1,518 bytes is considered a giant.

CRC CRC errors are generated when the calculated checksum is not the same as the checksum received.

Sum of all errors that prevented the final transmission of datagrams out of the interface that is being
Output Errors
examined.

Collisions Number of messages retransmitted because of an Ethernet collision.

Late Collisions A collision that occurs after 512 bits of the frame have been transmitted

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Configure Switch Ports
Interface Input and Output Errors
“Input errors” is the sum of all errors in datagrams that were received on the interface
being examined. This includes runts, giants, CRC, no buffer, frame, overrun, and ignored
counts. The reported input errors from the show interfaces command include the
following:
• Runt Frames - Ethernet frames that are shorter than the 64-byte minimum allowed
length are called runts. Malfunctioning NICs are the usual cause of excessive runt
frames, but they can also be caused by collisions.
• Giants - Ethernet frames that are larger than the maximum allowed size are called
giants.
• CRC errors - On Ethernet and serial interfaces, CRC errors usually indicate a media
or cable error. Common causes include electrical interference, loose or damaged
connections, or incorrect cabling. If you see many CRC errors, there is too much
noise on the link and you should inspect the cable. You should also search for and
eliminate noise sources.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Configure Switch Ports
Interface Input and Output Errors (Cont.)
“Output errors” is the sum of all errors that prevented the final transmission of datagrams
out the interface that is being examined. The reported output errors from the show
interfaces command include the following:
• Collisions - Collisions in half-duplex operations are normal. However, you should
never see collisions on an interface configured for full-duplex communication.
• Late collisions - A late collision refers to a collision that occurs after 512 bits of the
frame have been transmitted. Excessive cable lengths are the most common cause of
late collisions. Another common cause is duplex misconfiguration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Configure Switch Ports
Troubleshooting Network Access Layer Issues

To troubleshoot
scenarios involving no
connection, or a bad
connection, between a
switch and another
device, follow the
general process
shown in the figure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
2.9 Secure Remote Access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Secure Remote Access
Telnet Operation
Telnet uses TCP port 23. It is an older
protocol that uses unsecure plaintext
transmission of both the login
authentication (username and
password) and the data transmitted
between the communicating devices.
A threat actor can monitor packets using
Wireshark. For example, in the figure
the threat actor captured the
username admin and
password ccna from a Telnet session.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Secure Remote Access
SSH Operation
Secure Shell (SSH) is a secure protocol that uses
TCP port 22. It provides a secure (encrypted)
management connection to a remote device.
SSH should replace Telnet for management
connections. SSH provides security for remote
connections by providing strong encryption when
a device is authenticated (username and
password) and also for the transmitted data
between the communicating devices.

The figure shows a Wireshark capture of an SSH

session. The threat actor can track the session
using the IP address of the administrator device.
However, unlike Telnet, with SSH the username
and password are encrypted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Secure Remote Access
Verify the Switch Supports SSH
To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS
software including cryptographic (encrypted) features and capabilities. Use the show
version command on the switch to see which IOS the switch is currently running. An IOS
filename that includes the combination “k9” supports cryptographic (encrypted) features
and capabilities.

The example shows the output of the show version command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Secure Remote Access
Configure SSH
Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct
network connectivity settings.
Step 1: Verify SSH support - Use the show ip ssh command to verify that the switch supports SSH. If the switch is not
running an IOS that supports cryptographic features, this command is unrecognized.
Step 2: Configure the IP domain - Configure the IP domain name of the network using the ip domain-name domain-
name global configuration mode command.
Step 3: Generate RSA key pairs - Generating an RSA key pair automatically enables SSH. Use the crypto key generate
rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key pair.
Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA key
pair is deleted, the SSH server is automatically disabled.
Step 4: Configure user authentication - The SSH server can authenticate users locally or using an authentication server. To
use the local authentication method, create a username and password pair using
the username username secret password global configuration mode command.
Step 5: Configure the vty lines - Enable the SSH protocol on the vty lines by using the transport input ssh line configuration
mode command. Use the line vty global configuration mode command and then the login local line configuration mode
command to require local authentication for SSH connections from the local username database.
Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. When supporting both versions, this is
shown in the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global
configuration command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Secure Remote Access
Verify SSH is Operational
On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For example, assume the
following is configured:
• SSH is enabled on switch S1
• Interface VLAN 99 (SVI) with IPv4 address [Link] on switch S1
• PC1 with IPv4 address [Link]
Using a terminal emulator, initiate an SSH connection to the SVI VLAN IPv4 address of S1 from PC1.
When connected, the user is prompted for a username and password as shown in the example. Using the
configuration from the previous example, the username admin and password ccna are entered. After
entering the correct combination, the user is connected via SSH to the command line interface (CLI) on the
Catalyst 2960 switch.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Secure Remote Access
Verify SSH is Operational (Cont.)
To display the version and configuration data for SSH on the device that you configured as an SSH
server, use the show ip ssh command. In the example, SSH version 2 is enabled.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Secure Remote Access
Packet Tracer – Configure SSH
In this Packet Tracer, you will do the following:
• Secure passwords
• Encrypt communications
• Verify SSH implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
2.10 Verify Connectivity

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Verify Connectivity
Verify Connectivity with Ping
Whether your network is small and new, or you are scaling an existing network, you will
always want to be able to verify that your components are properly connected to each other
and to the internet.
• The ping command, available on most operating systems, is the most effective way to
quickly test Layer 3 connectivity between a source and destination IP address.
• The ping command uses the Internet Control Message Protocol (ICMP) echo (ICMP Type
8) and echo reply (ICMP Type 0) messages.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Verify Connectivity
Verify Connectivity with Ping (Cont.)
On a Windows 10 host, the ping command sends four consecutive ICMP echo messages
and expects four consecutive ICMP echo replies from the destination. The IOS ping sends
five ICMP echo messages and displays an indicator for each ICMP echo reply received.

IOS Ping Indicators are as follows:

Element Description
•Exclamation mark indicates successful receipt of an echo reply message.
!
•It validates a Layer 3 connection between source and destination.
•A period means that time expired waiting for an echo reply message.
.
•This indicates a connectivity problem occurred somewhere along the path.
•Uppercase U indicates a router along the path responded with an ICMP Type 3 “destination unreachable”
error message.
U
•Possible reasons include the router does not know the direction to the destination network or it could not
find the host on the destination network.

Note: Other possible ping replies include Q, M, ?, or &. However, the meaning of these are out of scope for this module.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Verify Connectivity
Extended Ping
The Cisco IOS offers an "extended" mode
of the ping command.

Extended ping is entered in privileged

EXEC mode by typing ping without a
destination IP address. You will then be
given several prompts to customize the
extended ping.

Note: Pressing Enter accepts the

indicated default values. The ping
ipv6 command is used for IPv6 extended
pings.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Verify Connectivity
Verify Connectivity with Traceroute
The ping command is useful to quickly determine if there is a Layer 3 connectivity problem.
However, it does not identify where the problem is located along the path.
• Traceroute can help locate Layer 3 problem areas in a network. A trace returns a list of
hops as a packet is routed through a network.
• The syntax of the trace command varies between operating systems.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Verify Connectivity
Verify Connectivity with Traceroute (Cont.)
• The following is a sample output of tracert command on a Windows 10 host.
Note: Use Ctrl-C to interrupt a tracert in Windows.
• The only successful response was from the gateway on R1. Trace requests to the
next hop timed out as indicated by the asterisk (*), meaning that the next hop router
did not respond or there is a failure in the network path. In this example there appears
to be a problem between R1 and R2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Verify Connectivity
Verify Connectivity with Traceroute (Cont.)
The following are sample outputs of traceroute command from R1:

• On the left, the trace validated that it could successfully reach PC B.

• On the right, the [Link] host was not available, and the output shows asterisks
where replies timed out. Timeouts indicate a potential network problem.
• Use Ctrl-Shift-6 to interrupt a traceroute in Cisco IOS.

Note: Windows implementation of traceroute (tracert) sends ICMP Echo Requests. Cisco IOS and
Linux use UDP with an invalid port number. The final destination will return an ICMP port
unreachable message.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Verify Connectivity
Extended Traceroute
Like the extended ping command, there is also an extended traceroute command. It
allows the administrator to adjust parameters related to the command operation.

The Windows tracert command allows the input of several parameters through options in
the command line. However, it is not guided like the extended traceroute IOS command.
The following output displays the available options for the Windows tracert command:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Verify Connectivity
Extended Traceroute (Cont.)
• The Cisco IOS extended traceroute option enables
the user to create a special type of trace by
adjusting parameters related to the command
operation.
• Extended traceroute is entered in privileged EXEC
mode by typing traceroute without a destination IP
address. IOS will guide you through the command
options by presenting a number of prompts related
to the setting of all the different parameters.

• Note: Pressing Enter accepts the indicated default

values.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Packet Tracer Simulation
This activity will cover the following:

• Copy the running-config file to the startup-config file

• Show the files in the flash or NVRAM directory

• Use command shortening

• Erase the startup-config file

• Configure hostnames and IP addresses on two switches (using Switch Virtual interfaces)

• Use Cisco IOS commands to specify or limit access to the device configurations (console and enable secret
password, etc..)

• Use IOS commands to save the running configuration

• Configure two host devices with IP addresses

• Verify connectivity between the two PC end devices (using ping and traceroute)

• Configure and Verify Basic Switch Settings

• Use the show commands

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
2.9 Host and IOS Commands

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Host and IOS Commands
IP Configuration on a Windows Host
In Windows 10, you can access the IP address details from the Network and Sharing Center to
quickly view the four important settings: address, mask, router, and DNS. Or you can issue
the ipconfig command at the command line of a Windows computer.
• Use the ipconfig /all command to view the MAC address, as well as a number of details
regarding the Layer 3 addressing of the device.
• If a host is configured as a DHCP client, the IP address configuration can be renewed using
the ipconfig /release and ipconfig /renew commands.
• The DNS Client service on Windows PCs also optimizes the performance of DNS name
resolution by storing previously resolved names in memory. The ipconfig
/displaydns command displays all of the cached DNS entries on a Windows computer system.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Host and IOS Commands
IP Configuration on a Linux Host
• Verifying IP settings using the GUI on a Linux
machine will differ depending on the Linux
distribution and desktop interface.
• On the command line, use
the ifconfig command to display the status of
the currently active interfaces and their IP
configuration.
• The Linux ip address command is used to
display addresses and their properties. It can
also be used to add or delete IP addresses.

Note: The output displayed may vary depending

on the Linux distribution.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Host and IOS Commands
IP Configuration on a macOS Host
• In the GUI of a Mac host, open Network
Preferences > Advanced to get the IP
addressing information.
• The ifconfig command can also be used
to verify the interface IP configuration at
the command line.
• Other useful macOS commands to verify
the host IP settings include networksetup
-listallnetworkservices and
the networksetup -getinfo <network
service>.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Host and IOS Commands
The arp Command
The arp command is executed from the Windows, Linux, or Mac command prompt. The
command lists all devices currently in the ARP cache of the host.
• The arp -a command displays the known IP address and MAC address binding. The
ARP cache only displays information from devices that have been recently accessed.
• To ensure that the ARP cache is populated, ping a device so that it will have an entry
in the ARP table.
• The cache can be cleared by using the netsh interface ip delete
arpcache command in the event the network administrator wants to repopulate the
cache with updated information.

Note: You may need administrator access on the host to be able to use the netsh
interface ip delete arpcache command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Host and IOS Commands
Common show Commands Revisited

Command Description

show running-config Verifies the current configuration and settings

show interfaces Verifies the interface status and displays any error messages

show ip interface Verifies the Layer 3 information of an interface

show arp Verifies the list of known hosts on the local Ethernet LANs

show ip route Verifies the Layer 3 routing information

show protocols Verifies which protocols are operational

show version Verifies the memory, interfaces, and licenses of the device

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Host and IOS Commands
The show cdp neighbors Command
CDP provides the following information about each CDP neighbor device:
• Device identifiers - The configured host name of a switch, router, or other device
• Address list - Up to one network layer address for each protocol supported
• Port identifier - The name of the local and remote port in the form of an ASCII character
string, such as FastEthernet 0/0
• Capabilities list - Whether a specific device is a Layer 2 switch or a Layer 3 switch
• Platform - The hardware platform of the device.
The show cdp neighbors detail command reveals the IP address of a neighboring device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Host and IOS Commands
The show ip interface brief Command
One of the most frequently used commands is the show ip interface brief command.
This command provides a more abbreviated output than the show ip
interface command. It provides a summary of the key information for all the network
interfaces on a router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Module 2 : Basic Switch and End Device Configuration
New Terms and Commands
• operating system (OS) • line configuration mode • console
• CLI • interface configuration mode • enable secret
• GUI • Enable • VTY line
• shell • configure terminal • show running-config
• kernel • exit • banner motd
• hardware • end • startup-config
• console • argument • running-config
• Secure Shell (SSH) • keyword • reload
• Telnet • command syntax • erase startup-config
• terminal emulation • ping • DHCP
programs • traceroute • switch virtual interface (SVI)
• user EXEC mode • help command ”?” • ipconfig
• privileged EXEC mode • hot keys • show ip int brief
• hostname

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94