You have just taken a job with with a new company! Your company is a brand new start-up, and they have absolutely nothing in the way of Information Technology. You've been hired to build their corporate network from the ground up. They have several server and desktop PCs -- running Linux, of course, with maybe a few FreeBSD hosts thrown in for good measure ;) -- and your first job is to get them connected. You have a shoe-string budget, so you went on E-Bay and found an old Cisco Catalyst 2924XL switch for $20 (plus shipping). You'll have to build a local area network so that the servers and desktops can communicate with each other. Ready? Cool -- let's get started!
We'll start with selecting an IP addressing scheme. TCP/IP, often called IPv4, isn't the only choice, but it's by far the most common choice, so for now, we'll stick with it. We've already stated that this is a small company with just a handful of hosts on the network, so we don't need a lot of addresses, and we only need one subnet. But what IP address do we use? We can't use just any address, since at some point, we'll want to connect to the Internet. If we pick a range of IP addresses that are already in use, we'll cause ourselves all kinds of problems. Fortunately, this is not a new problem, and the answer is defined in an Internet standard known as RFC-1918. The linked document is somewhat technical, so if you don't want to get that intense quite yet, then let's just say that RFC-1918 defines three groups of IP addresses that you are free to use on internal networks, without fear of colliding with others' IP addresses.
For now, we want to keep things simple, so we will use the subnet 192.168.1.0/24 (IP addresses in the range of 192.168.1.1 through 192.168.1.254) for our network. We'll reserve 192.168.1.1 -- you'll see why in the next lesson -- and we will assign the next few addresses in our network to our servers. We have a file server at 192.168.1.2, a DNS server on 192.168.1.3 (and a backup DNS server on 192.168.1.4), and a web server at 192.168.1.5. Our LAN switch will have the IP address 192.168.1.254. We will statically (manually) assign IP addresses to all of the hosts in our network.
Once we have reserved IP addresses to use on our network, we'll need to configure our LAN switch to connect all of these devices. But...how do you access the switch to put a configuration on it before it has been added to our network?
Are you back yet? Good! You've got your terminal set for 9600 baud, eight bits, no parity bits and one stop bit (often abbreviated, "9600-8N1"), right? Great! Press the "Enter" key on your keyboard a few times, and you should see something on your screen kind of like this:
Scratch that. My E-Bay 2924 arrived yesterday, and I now have two 2924XL switches that don't respond on the console port. That makes me think I'm doing something wrong, but since the above instructions work on every Cisco router, Brocade/Foundry switch and ImageStream router that I've ever used (as well as a multitude of other network devices), I can't imagine what I might be missing on the Catalyst switches, In any case, the bottom line is that right now, I can't describe setting up the initial settings via console. If yours works by following the above instructions, awesome. If not, here are a couple of things that I did to gain management access in the hopes that they help you, but be forewarned -- they are slightly advanced topics, especially for Lesson 1. For now, I'm just going to assume that you've got management access to the switch, but I promise to update this post as soon as I can figure this problem out. Sorry :(
Switch>
Notice the "greater-than" symbol? That means that you are in "User mode," a Cisco term that basically means "you are logged in, but can't really do anything useful." If you want to make changes to the switch's configuration -- and we do -- you'll need to enter "Privileged Exec mode." Type "en" (short for "enable" -- which you can also type), then press enter and you will see the prompt change to this:
Switch#
To return to "User mode," just type "disable" and press enter. Pretty simple, no?
Let's actually make some changes to the switch configuration now. I'm going to list some commands below; go ahead and enter them on your switch or simulator, and I'll explain what each command does in just a minute. I promise not to tell you to do anything that will damage your switch (at least, not intentionally), but if you are working on real equipment, PLEASE make sure it is not a production switch, and that it is in an isolated lab environment! I accept no responsibility if you break your corporate network because you are practising on a live, production network!
Router# conf t
Router(config)# service password-encryption
Router(config)# hostname lab2924b
lab2924b(config)# enable secret mysecretpassword
lab2924b(config)# username root password mysecretpassword
lab2924b(config)# ip subnet-zero
lab2924b(config)# no ip domain-lookup
lab2924b(config)# ip domain-name example.com
lab2924b(config)# interface VLAN1
lab2924b(config-if)# ip address 192.168.1.253 255.255.255.0
lab2924b(config-if)# exit
lab2924b(config)# ip default-gateway 192.168.1.1
lab2924b(config)# banner motd ~
########################################
# Warning!!! Unauthorised access is #
# prohibited, etc., etc. Attempting #
# to gain access in excess of allowed #
# clearance <insert dire warning here> #
# etc., etc. #
########################################
~
lab2924b(config)# line con 0
lab2924b(config-line)# exec-timeout 30 0
lab2924b(config-line)# password mysecretpassword
lab2924b(config-line)# logging synchronous
lab2924b(config-line)# login
lab2924b(config-line)# line vty 0 4
lab2924b(config-line)# password mysecretpassword
lab2924b(config-line)# login local
lab2924b(config-line)# exit
lab2924b(config)# exit
lab2924b#
Don't worry if that looks a little overwhelming -- it gets better with practice :) Basically, we set up a number of options on the switch to secure it against unauthorised access, to make it easy to manage and to help us make sure we were managing the switch we expected to be managing. (As an aside, I once watched, horrified, as a co-worker accidentally reformatted the hard drive on a server we had just finished installing and configuring. He was SSH'd into the both the old server and the new server at the same time, and thought he was in the terminal window for the old server when he was actually in the terminal window for the new server. Amazingly, we were able to rebuild the server in a little over an hour's time -- and thus, we were able to catch our flight back home that afternoon -- but it was a great object lesson in using meaningful host names, and always making sure the host name on your terminal session matches the host name you expect to see before overwriting/erasing data or changing configs). The "service password-encryption" command rewrites all of the passwords in the config file to an encrypted format so that someone looking over your shoulder can't discover your password. By default, Cisco's IOS will assume that any word you type on the command line that it doesn't recognize as a legitimate command is a hostname, and therefore, it will try to use DNS to resolve the "host name" into an IP address, which can be a real pain. The "no ip domain-lookup" command tells the IOS not to do that (IMHO, it ought to be the default behaviour on Cisco equipment). The "banner motd..." command tells the switch to display a login message when someone accesses the console or telnet virtual terminal lines. You can put whatever message you want, and you don't have to use a squiggle as the delimiter; I just use it because I don't think I am likely to use a squiggle in a login message, so it's convenient. All of the other commands should be pretty self-explanatory, but if not, then you absolutely should spend some time looking them on Cisco's web site. Better yet, after entering these commands, return to "Privileged Exec" mode, and run the "write mem" command to save the config to permanent storage (flash), then spend some time enabling and disabling the commands and see what happens! If you lose access to the switch, just unplug it, count to five, then plug it back in. In one or two minutes, the switch will reboot into the saved configuration, allowing you to telnet in again.
Also, connect two computers, a computer and a router, or whatever you've got to the switch, and see if you can ping across from one computer or router to the other. As long as both hosts are on the same subnet (i.e., 192.168.1.xxx, where "xxx" is a number between 1 and 252 -- this switch is .253, remember?) they should be able to reach each other. If not, use the "show ip interface brief" or "show interface" commands to figure out why not. If the switch had already been configured, then you might see output like this...:
lab2924b# show ip interface brief
Interface IP-Address OK? Method Status Protocol
VLAN1 192.168.1.253 YES manual up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset administratively down down
If you notice, VLAN1 and FastEthernet0/1 show Status is up and Protocol is up, but FastEthernet0/2 is "administratively down." That means the administrator (you) has turned off that Ethernet port on the switch. To fix, type:
lab2924b# conf t
lab2924b(config)# int fa0/2
lab2924b(config-if)# no shut
lab2924b(config-if)# exit
lab2924b(config)# exit
lab2924b# write mem
I did two things here: first, I told the switch that I want to enable ("no shutdown") the FastEthernet0/2 port, and second, you'll notice that I didn't type all of the commands out in full ("conf t" rather than "configure terminal", "int fa0/2" rather than "interface fastethernet0/2", etc.). The Cisco IOS is smart enough to understand what you mean as long as you type enough characters to positively identify the command you want. For example, on a router with an ISDN Basic Rate Interface port, you can't type "sho ip int bri" instead of "sho int brief" because there is an interface bri0 on the router. You can, however, type "sh ip int brie", as that provides enough characters for the router to differentiate between the bri0 interface and the brief output of the "sho ip int" command.
For a "simple" lesson, we've covered a lot of material here, so I'm going to knock off for the night. We'll pick up later in Lesson 2 where we start playing with a Cisco router.
No comments:
Post a Comment