Cisco is one of the leading transnational corporations in the telecommunications equipment market.

Cisco products have gained worldwide recognition due to their reliability and ruggedness.

Cisco 2960 Configuration: In this article, we will perform basic switch configuration. The article will be useful to everyone who starts working with Cisco products.

Step 1: Connecting the Cisco Hardware

Setting up Cisco hardware is very specific and somewhat different from hardware.

For example, to perform the initial settings of Cisco switches, we need a branded flat cable RJ-45 - RS-232 of blue color (comes with the equipment) and the presence of a COM port on the computer from which the configuration will be performed.

The solution to the issue is copying the HyperTerminal folder with Windows XP (directory location - Program Files) to any convenient directory Windows 7/8.

The program is launched using the hypertrm .exe file, which can be found in the same folder.

Or use the Putty program, which, in addition to connecting to Cisco equipment, can be used to connect to servers, etc. using an SSH connection.

Let's get connected. On the front panel of the switch, we are looking for an RJ-45 connector labeled "Console", and connect the cable.

Turn on the switch power.

We go on the computer to HyperTerminal, select the connector interface (COM1), the port speed is 9600 B / s, we give a negative answer to all further questions (“No”).

Step 3. General principles for configuring Cisco equipment

For security purposes, there are 2 command entry modes available on Cisco switches: user mode to check the status of the switch and privileged mode (analogous to the UNIX root user or Windows administrator) to change the switch configuration.

For users who are accustomed to working on UNIX systems, it will not be difficult to understand in which mode they work.

For users working in Windows, let's give an explanation - if the line before the command line begins with the "#" character, you are in privileged mode.

The same goes for entering a password, as in UNIX systems, the password that the user enters is not displayed on the screen.

To switch to privileged mode, use the “enable” command, without quotes, and to exit, “disable”.

Let's start with the initial configuration of the switch. When the device boots for the first time, the installation wizard will offer you to perform step-by-step configuration, we refuse this step:

Continue with configuration dialog? : no

Then we are in user mode:

We go into privileged mode, the default password, as a rule, is absent, so we do not enter anything, but press "Enter".

switch > enable

To set settings related to the entire switch (setting the switch name, IP address, specifying the time synchronization server, etc.), use the global configuration mode, to configure individual interfaces there is an interface configuration mode.

Step 4: Cisco 2960 Basic Setup

1. Change the name of our switch (the default name is Switch):

Switch# configure terminal

Switch(config)# hostname Switch01 ( Set the name of the switch - Switch01)

Switch01(config)#

In the future, this helps to be sure that the configuration is performed on the correct device.

We also draw your attention to the fact that instead of long commands like, for example, “configure terminal”, there are their short counterparts “conf t”.

2. Set the IP address for the management interface of the switch.

Switch01(config)# interface fa0/0 (specify the interface to configure)

Switch01(config-if)# no shutdown ( enable interface)

Switch01(config-if)# ip address 255.255.255.0 ( set the IP address and mask)

Switch01(config-if)# exit (exit interface configuration mode)

Switch01(config)#

3. Set a password for privileged mode:

Switch01(config)# enable secret pass1234 ( password pass1234)

Switch01(config)# exit

Switch 01#

Important! Setting a password can be done with the two commands password and secret. In the first case, the password is stored in the configuration file in clear text, and in the second case, in encrypted form. If the password command was used, it is necessary to encrypt the passwords stored in clear text on the device using the "service password-encryption" command in global configuration mode.

4. Since the data is transmitted in the clear during a telnet connection, we will use an SSH connection to connect to the switch remotely, which allows you to encrypt all traffic.

Switch01# conf t

Switch 01(config)# ip domain name geek -nose .com (Specify the domain, if there is no domain, write any)

Switch01(config)# crypto key generate rsa ( Perform RSA key generation for ssh)

Switch01(config)# ip ssh version 2 ( Specify the version of the ssh protocol)

Switch01(config)# ip ssh authentication-retries 3 ( Set the number of ssh connection attempts)

Switch01(config)# service password-encryption (Save passwords encrypted)

Switch 01(config )# line vty 0 2 (Switch to config mode and terminal lines)

Switch01(config-line)# transport input ssh ( Allow connection only via ssh)

Switch01(config-line)# exec timeout 20 0 ( We activate the automatic disconnection of the ssh session after 20 minutes)

Switch 01(config -line )# end (Exit configuration mode)

Switch01# copy running-config startup-config ( save settings)

Important! To exit the configuration submenu 1 level higher, for example, from “config -line” to “config” use the “exit” command. To completely exit the configuration mode, use the "end" command.

The basic ssh setup was described above, more advanced setup can be found below:

Switch01# conf t

Switch01(config)# aaa new-model ( Turn on the AAA protocol)

This article is also suitable for configuring switches such as Cisco Catalyst 2950, ​​Cisco Catalyst 2960, Cisco Catalyst 3550, Cisco Catalyst 3560, Cisco Catalyst 3560G.

For initial settings of switches Cisco, we need an RJ-45 - RS-232 cable and the availability COM-port on the computer.

As a console I will be using ZOC.

Connection settings:

When the device boots for the first time, the installation wizard will offer you to perform step-by-step configuration, we refuse this step:

Switching to privileged mode:

Set a password for privileged mode

And allow telnet login:

If you make a mistake when typing something in the console or enter a command in Russian, then Cisco tries to sober it up, turn off this feature so as not to waste time:

Set up an access-list to access the switch only from the specified IP addresses:

Last save:

C2960G test # copy running-config startup-config

C2960G test #wr

March 16, 2010 at 09:50

Cisco Router Basic Configuration Template

• Cisco

Recently, I have often had to configure Cisco routers from scratch (mainly 800-1800 series) for branches of my company, and in order not to type the same commands, I compiled a small settings template for myself a third dozen times for different occasions. I must say right away that I didn’t receive certificates from Cisco, I didn’t particularly read books on these routers, I gained all my experience by scientific poke, smoking manuals on cisco.com and some thoughtful borrowing of pieces of other people’s configs ...

So, unpack the router, upload the latest firmware (SSH requires a minimum of Advanced Security), do
#erase startup-config
in order to get rid of preconfigured garbage and reboot.

Setting up authorization and access via SSH

Turn on password encryption
service password encryption
! use the new AAA model and local user base
aaa new-model
aaa authentication login default local
! we start the user with the maximum rights
username admin privilege 15 secret PASSWORD

Give a name to the router
hostname<...>
ip domain-name router.domain
! generating a key for SSH
crypto key generate rsa modulus 1024
! tuning SSH
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
! and enable it on the remote console
line vty 0 4
transport input telnet ssh
privilege level 15

Routing setup

Enable accelerated packet switching
ip cef

Time setting

Time zone GMT+2
clock timezone Ukraine 2
clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00
! update system clock via NTP
ntp update-calendar
! It is better to set the ntp server by IP, because if the DNS server is not available when the DNS server is overloaded, then the settings by name fly off ...
ntp server NTP.SERVER.1.IP
ntp server NTP.SERVER.2.IP

Archiving configs

Enable archiving of all config changes, hiding passwords in the logs
archive
log config
logging enable
hidekeys

The history of config changes can be viewed with the command
show archive log config all

DNS setting

Enable name resolution
ip domain-lookup
! enable internal DNS server
ip dns server
! register DNS provider
ip name-server XXX.XXX.XXX.XXX
! just in case, add a few public DNS servers
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220

LAN setup

Usually the ports of the internal switch on the router are combined into Vlan1
interface Vlan1
description === LAN ===
ip address 192.168.???.1

We turn on the count of packets transmitted to clients on the interface - it is convenient to see who eats traffic
ip accounting output-packets

You can view the statistics with the command
show ip accounting
! clear
clear ip accounting

Setting up a DHCP server

Excluding some addresses from the pool
ip dhcp excluded-address 192.168.???.1 192.168.???.99
! and set up an address pool
ip dhcp pool LAN
network 192.168.???.0 255.255.255.0
default router 192.168.???.1
dns-server 192.168.???.1

Internet and Firewall settings

Set up an incoming traffic filter (everything is prohibited by default)
ip access-list extended FIREWALL
permit tcp any any eq 22

Enable traffic inspection between the local network and the Internet
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic

We configure the port to the Internet and hang some protection on it
interface FastEthernet0/0
description === Internet ===
ip address ???.???.???.??? 255.255.255.???
ip virtual-reassembly
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
ip inspect INSPECT_OUT out
ip access-group FIREWALL in

And finally, the default gateway
ip route 0.0.0.0 0.0.0.0 ???.???.???.???

NAT setup

On the Internet interface
interface FastEthernet0/0
ip nat outside

On the local interface
interface Vlan1
ip nat inside

Create a list of IPs with access to NAT
ip access-list extended NAT
permit ip host 192.168.???.??? any

Enable NAT on the external interface
ip nat inside source list NAT interface FastEthernet0/0 overload

Adding Inspection of Popular Protocols
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp

Disabling unnecessary services

No service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
no ip finger
no ip source route
no ip http server
no ip http secure-server
no ip bootp server

UPD. Removed unnecessary on the advice of habroyuzerov
UPD2. Added disabling unnecessary services
UPD3. Changed firewall settings (thanks

A very common question for beginners is:

“What needs to be configured on Cisco Catalyst from scratch?”

"Download default config for Cisco Catalyst"

"catalyst 2960 2950 3560 default ip address"

how to setup cisco catalyst

I'll try to help these people a little.

1. There are no default configs, because everyone has their own network and their own "rules"
2. Cisco does not have a default IP address (this is not Dlink), everything is configured with pens and first through the console.

So, let's try to figure out what it is desirable to configure on a zero Cisco Catalyst?

For example, common ones:

• Cisco Catalyst 2950
• Cisco Catalyst 2960
• Cisco Catalyst 3550
• Cisco Catalyst 3560
• Cisco Catalyst 3560G

I used Cisco Catalyst 3560G

0. Connect to cisco via console cable via com port:

FreeBSD via com port:

cu -l /dev/cuad0

FreeBSD via USB->Com adapter :

• kldload uplcom.ko
• kldstat | grep uplcom (make sure it's loaded)
• connect the adapter to the USB port
• cu -l /dev/cuaU0

on Windows you can use the Hiper Terminal to connect to the com port

1. Set a password for enable mode

switch > enable
Switch# configure terminal
Switch(config)# enable password my-secret-password

2. Set a password for telnet login

switch(config)# line vty 0 15
Switch(config-line)#password my-telnet-password

3. Immediately allow telnet login

Switch(config-line)# login
switch(config)# exit

4. Encrypt passwords so that they are not shown in clear text by sh run

Switch(config)# service password-encryption

5. Set a name for the device, for example it will be c3560G

Switch(config)# hostname c3560G

6. hang / assign an IP address to our device

c3560G(config)# interface vlan 1
c3560G(config-if)# ip address 192.168.1.2 255.255.255.0
c3560G(config-if)# exit

7. If you make a mistake when typing something in the console, then the tsiska will start trying to sober it up, which makes you wait, turn off this feature

c3560G(config)# no ip domain-lookup

8. Set the domain name

c3560G(config)# ip domain-name my-domain.ru

9. Set the IP address of the DNS server

c3560G(config)# ip name-server 192.168.1.15

10. Set the time
if you have available NTP server

c3560G(config)# ntp server 192.168.1.1 version 2 source vlan 1
c3560G(config)# ntp clock-period 36029056
c3560G(config)# ntp max-associations 1
where 192.168.1.1 is the IP address of the NTP server
and using the source vlan “addendum”, you can clearly set the vlan number from whose IP the NTP request will be sent

if there is no NTP server, then you can set the time manually, but for this you will have to exit the configuration mode

c3560G(config)# exit
c3560G# clock set 20:00:50 23 Aug 2008

11. Set the transition from winter to summer time and vice versa

c3560G# configure terminal
c3560G(config)# clock timezone MSK 3
c3560G(config)# clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00

12. Let's make it so that the show logging command displays the normal time, and not the number of days, etc.

c3560G(config)# service timestamps log datetime localtime

13. Set the default settings for all ports on the device at once (I have catalyst 24 ports + 4 SFPs)

C3560G(config)# vlan 999
c3560G(config-vlan)# name unused_ports
c3560G(config-vlan)# shutdown
c3560G(config-vlan)# exit
c3560G(config)# interface range gi 0/1 - 28
c3560G(config-if-range)# description not_used
c3560G(config-if-range)# shutdown
c3560G(config-if-range)# no cdp enable
c3560G(config-if-range)# switchport nonegotiate
c3560G(config-if-range)# switchport access vlan 999
c3560G(config-if-range)# switchport mode access
c3560G(config-if-range)# exit

14. Turn off the web interface, the command line rules

c3560G(config)# no ip http server

15. Set the default gateway (let's say it will be 192.168.1.1, since we assigned the IP 192.168.1.2/255.255.255.0 to the device)

c3560G(config)# ip default-gateway 192.168.1.1

16. If this switch will support routing (it will be a router), then enable the routing function (if the device itself and its firmware allow it)

The 3560G does an excellent job of routing

c3560G(config)# ip routing
c3560G(config)# ip classless
c3560G(config)# ip subnet-zero

17. If you completed step 16, then again you need to set the default gateway, but with a different command

c3560G(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

18. Set up access-list to access the switch only from certain IP addresses

c3560G(config)# ip access-list standard TELNET
c3560G(config-std-nacl)# permit 192.168.1.1
c3560G(config-std-nacl)# permit 192.168.1.15
c3560G(config-std-nacl)# exit

19. Apply this access-list

c3560G(config)# line vty 0 15
c3560G(config-line)# access-class TELNET in

20. Set the timeout of inactivity of the telnet session, after the specified time, if you did not enter anything in the console, then the telnet connection will automatically close

c3560G(config-line)# exec-timeout 5 0
c3560G(config-line)# exit

21. Enable SNMP, but only read only (RO) and accessibility only from host 192.168.1.1

c3560G(config)# snmp-server community RO-MY-COMPANY-NAME RO
c3560G(config)# snmp-server trap-source Vlan1
c3560G(config)# snmp-server source-interface informs Vlan1
c3560G(config)# snmp-server location SWITCH-LOCATION
c3560G(config)# snmp-server contact [email protected]
c3560G(config)# snmp-server host 192.168.1.1 RO-MY-COMPANY-NAME
c3560G(config)# exit

22. And finally, let's save our work

c3560G# copy running-config startup-config
or can it be simpler and shorter

c3560G# wri

You can find a sea of ​​documentation on catalysts, and not only on them, on the manufacturer's website: www.cisco.com

OSPF (Open Shortest Path First)

router ospf (starting the ospf process)
Mode:
Router(config)#
Syntax:
router ospf process-id|| no router ospf process-id
Description:
process-id: OSPF process number. (any number > 0) (multiple processes can be started)
Example:
Router(config)# router ospf 1

network area
Mode:
Router(config-router)#
Syntax:
network address wildcard-mask area area-id|| no network address wildcard-mask area area-id
Description:
address wildcard-mask: The address and wild-card mask of the network that will participate in OSPF routing. (also defines the interface OSPF will run on)
Example:
Router(config-router)# network 10.0.0.0 0.0.0.255 area 1

ip ospf cost
Mode:
Router(config-if)#
Syntax:
ip ospf cost cost|| no ip ospf cost
Description:
cost: The cost (metric) of the route (for this interface) for OSPF routing. (from 1 to 65535). In the absence of this command, the cost (metric) for this interface is calculated based on its bandwidth. (see bandwidth command)
Example:
Router(config-if)# ip ospf cost 100

ip ospf priority
Mode:
Router(config-if)#
Syntax:
ip ospf priority number|| no ip ospf priority
Description:
number: Router priority. (from 1 to 65535). The priority is used when selecting a designated router. The higher the priority, the greater the chance that this router will become dedicated.
Example:
Router(config-if)#ip ospf priority 15

area
Mode:
Router(config-router)#
Syntax:
area area-id (
authentication
stub
nssa
default cost
range address mask
virtual-link router-id
}
Description:

• area-id: for which zone there will be further settings.
• authentication Specifies that authorization is enabled for this zone. (see ip ospf authentication-key command)
• If the message-digest parameter is specified, authorization by MD5 key will be used. (see ip ospf message-digest-key command)
• stub indicates that the zone is a stub zone. It does not send updates about changes in the state of channels, but only summarized data. When specifying a parameter no summary not sent and summed data (LSA type 3).
• nssa Cisco, as usual, put their 5 cents into the OSPF protocol. :-). NSSA = not-so-stubby area. Not exactly a dead end area. (Oh, how!) Same as stub, but the router will import external routes.
• The default-information-originate option tells everyone that the route 0.0.0.0 is through me.
• default-cost cost Specifies the cost (metric) of the default summary route sent to the stub area.
• range address mask is used to specify the sum of the address and the mask at the border of the zone.

Example: Router(config-router)#area 1 range 10.0.0.1 255.255.0.0

• virtual-link router-id If the router does not have a direct link to zone 0 (an OSPF protocol requirement), but has a link to (for example) zone 1, then zone 1 is advertised as "transit" (virtual).

An example of a config (even with authorization in the transit zone) is here.
Example:
Router(config-router)# area 0 authentication message-digest

ip ospf authentication-key
Mode:
Router(config-if)#
Syntax:
ip ospf authentication-key password|| no ip ospf authentication-key
Description:
password: Password to authorize packets from a neighboring router that is configured to authorize in the same way. (up to 8 characters). To enable authorization, you must explicitly specify it (for a specific zone) using the area authentication command
Example:
Router(config-if)# ip ospf authentication-key thispwd

ip ospf message-digest-key
Mode:
Router(config-if)#
Syntax:
ip ospf message-digest-key key-id md5 key|| no ip ospf message-digest-key key-id
Description:
The command is used to set authorization parameters using the MD5 algorithm. key-id: Key number. (from 1 to 255). key: Password (alphanumeric). (up to 16 characters). key-id and key MUST match on neighboring routers. To enable authorization, you must explicitly specify it (for a specific zone) using the area authentication command
Example:
Router(config)# interface ethernet 0/1
Router(config-if)# ip ospf message-digest-key 1 md5 coolpwd1

ip ospf network
Mode:
Router(config-if)#
Syntax:
ip ospf network
broadcast
non-broadcast (
point-to-multipoint
}
) || no ip ospf network
Description:
The command tells the OSPF protocol which type of network this interface is connected to.
Example:
Router(config-if)# ip ospf network non-broadcast

router-id
Mode:
Router(config-router)#
Syntax:
router-id ip-address|| no router-id ip-address
Description:
The command is required to explicitly specify the router ID. (Otherwise, the ID will be assigned automatically.) IDs of different routers must not match!
Example:
Router(config-router)# router-id 10.0.0.1