Section 1-2. Cisco Internetwork Operating System (IOS) Software

1.

User interface modes

a. User EXEC mode

 Switch> 

Users can connect to a switch through the console port or Telnet session. By default, the initial access to a switch places the user in user EXEC mode and offers a limited set of commands. When connecting to the switch, a user-level password might be required.

b. Privileged EXEC mode

 Switch> enable password: [password] Switch# 

When a user gains access in user EXEC mode, the enable command can be used to enter privileged EXEC or enable mode. Full access to all commands is available. To leave privileged EXEC mode, use the disable or exit commands.

c. Configuration mode

 Switch# configure terminal 

From privileged EXEC mode, the configuration mode can be entered. Switch commands can be given to configure any switch feature that is available in the IOS software image. When you are in configuration mode you are managing the active memory of the switch. Anytime you enter a valid command in any configuration mode and press Enter, the memory is immediately changed. Configuration mode is organized in a hierarchical fashion. Global configuration mode allows commands that affect the switch as a whole. Interface configuration mode allows commands that configure switch interfaces. You can move in and out of many other configuration modes depending on what is being configured. To move from a lower-level configuration mode to a higher level, type exit. To leave the global configuration mode and return to the privileged EXEC mode, type exit at the global configuration prompt. To leave any configuration mode and return to privileged EXEC mode, type end or Ctrl-Z.

d. VLAN database mode

 Switch# vlan database Switch(vlan)# 

From privileged EXEC mode, you can enter vlan database mode. After you enter this mode, the prompt changes to vlan database mode. Vlan database mode configures and modifies VLAN and VTP parameters using vlan and/or vtp commands. When making changes to the VLAN database, the changes do not take effect until you use the command apply to make the changes active in the database or use the command exit to apply the changes and exit the mode. When you make a change and then apply or exit vlan database mode, the VTP configuration number is incremented. You should first configure a VTP domain or set the VTP mode to transparent to create, change, or edit VLANs. The abort command aborts any changes made in the database and leaves the mode. You can also view the current database and the proposed changes to the database using the show commands. Context-sensitive help is available in this mode using the question mark (?) or help command.

2.

User interface features

a. Entering commands

 Switch>, Switch#, Switch(config)# or Switch(vlan)# command Switch>, Switch#, Switch(config)# or Switch(vlan)# no command 

Commands can be entered from any mode (EXEC, global config, interface config, subinterface config, vlan database, and so on). To enable a feature or parameter, type the command and its options normally, as in command. To disable a command that is in effect, begin the command with no, followed by the command. The commands that are in effect can be seen by using the show running-config command in privileged mode. Note that some commands and parameters are set by default and are not shown as literal command lines in the configuration listing.

Commands and their options can also be abbreviated with as few letters as possible without becoming ambiguous. To enter the interface configuration mode for Ethernet 0, for example, you can abbreviate the command interface fastethernet 0 as int fa 0.

You can edit a command line using the Left and Right Arrow keys to move within the line. If additional characters are typed, the remainder of the line to the right is spaced over. You can use the Backspace and Delete keys to make corrections.

NOTE

If the switch displays a console informational or error message while you are typing a command line, you can press the Ctrl-L or Ctrl-R key to redisplay the line and continue editing. You can also configure the lines (console, vty, or aux) to use logging synchronous. This causes the switch to automatically refresh the lines after the switch output. You might have to wait for the switch in order to see output; if you issue debug commands with logging synchronous enabled, you might have to wait for the switch to finish the command (such as a ping) before you see the output.

b. Context-sensitive help

You can enter a question mark (?) anywhere in a command line to get additional information from the switch. If the question mark is typed alone, all available commands for that mode display. Question marks can also be typed at any place after a command, keyword, or an option. If the question mark follows a space, all available keywords or options display. If the question mark follows another word without a space, a list of all available commands beginning with that substring displays. This can be helpful when an abbreviated command is ambiguous and flagged with an error.

An abbreviated command might also be typed, followed by the Tab key. The command name expands to its full form if it is not ambiguous.

If a command line is entered but doesn't have the correct syntax, an error "% Invalid input detected at '^' marker" is returned. A caret (^) appears below the command character where the syntax error was detected.

c. Command history

- (Optional) Set the number of commands to save (default 10). To set the history size for the current terminal session, enter the following:

 Switch# terminal history [size lines] 

To set the history size for all sessions on a line, enter the following:

 Switch(config-line)# history [size lines] 

- Recalling commands to use again

From any input mode, each press of the Up Arrow () key or Ctrl-P recalls the next older command. Each press of the Down Arrow () key or Ctrl-N recalls the next most recent command. When commands are recalled from history, they can be edited as if you had just typed them. The

NOTE

The Up and Down Arrow keys require the use of an ANSI-compatible terminal emulator (that is, VT100).

d. Searching and filtering command output

- Sift through output from a show command

 Switch# show command ... | {begin |)include |)exclude} reg-expression 

A show command can generate a long output listing. If the listing contains more lines than the terminal session can display (set using the length parameter), it displays a screenful at a time with a --More-- prompt at the bottom. To see the next screen, press the Spacebar. To advance one line, press the Return key. To exit back out to the command line, press Ctrl-C, the Q key, or any key on the keyboard other than Return or the Spacebar.

To search for a specific regular expression and start the output listing there, use the begin keyword. This can be useful if your switch has many interfaces in its configuration. Instead of using the Spacebar to eventually find a certain configuration line, you can use begin to jump right to the desired line. To display only the lines that include a regular expression, use the include keyword. To display all lines that don't include a regular expression, use the exclude keyword.

- Sift through output from a more command

 Switch# more file-url | {begin |)include | exclude} reg-expression 

The more command displays the contents of a file on the switch. A typical use is to display the startup (more nvram:startup-config) or running (more system:running-config) configuration file. By default the file is displayed one screen at a time with a --More-- prompt at the bottom.

To search for a specific regular expression and start the output listing there, use the begin keyword. To display only the lines that include a regular expression, use the include keyword. To display all lines that don't include a regular expression, use the exclude keyword.

- Search through output at a --More-- prompt

 (--More--) {/ |)+ |)-}regular-expression 

At a --More-- prompt, you can search the output by typing the slash (/) key followed by a regular expression. To display only lines that include the regular expression, press the plus (+) key. To display only lines that don't include the regular expression, press the minus () key.

- What is a regular expression?

A regular expression can be used to match against lines of output. Regular expressions are made up of patterns, either simple text strings (that is, ethernet or ospf) or more complex matching patterns. Typically, regular expressions are regular text words that offer a hint to a location in the output of a show command.

A more complex regular expression is made up of patterns and operators. Table 1-1 shows the characters that are used as operators:

Table 1-1. Operator Characters

Character	Meaning
.	Matches a single character.
*	Matches 0 or more sequences of the preceding pattern.
+	Matches 1 or more sequences of the preceding pattern.
?	Matches 0 or 1 occurrences of the preceding pattern.
^	Matches at the beginning of the string.
$	Matches at the end of the string.
_	Matches a comma, braces, parentheses, beginning or end of a string, or a space.
[ ]	Defines a range of characters as a pattern.
( )	Groups characters as a pattern; if used around a pattern, the pattern can be recalled later in the expression by using the backslash (\) and the pattern occurrence number.

3.

Terminal sessions

a. Start a new session

 Switch# telnet host 

This initiates a Telnet connection to host (either an IP address or a host name). Then from the switch CLI, you can continue to communicate with the remote host.

b. Name a session

 Switch# name-connection Switch# Connection number: number Switch# Enter logical name: name 

An active session can be assigned a text string name to make the session easier to identify with the show sessions or where command.

c. Suspend a session to do something else

During an active Telnet session to a host, type the escape sequence Ctrl-Shift-6 followed by an x (that is press control, shift and 6 together, let up on all the keys then press the letter x) to suspend the session. The suspend sequence is sometimes written as Ctrl-^ x. This suspends the Telnet session and returns you to the local switch command-line prompt.

NOTE

You can have nested Telnet sessions open. For example, from the local switch, you can Telnet to another switch A, and then Telnet on to another switch B, and so forth. To suspend one of these sessions, you must also nest your escape sequences. Typing a single Ctrl-^x suspends the session to switch A and returns you to the local switch. Typing Ctrl-^ Ctrl-^x suspends the session to switch B and returns you to switch A's prompt. (Only type the x at the final escape sequence.)

d. Show all active sessions

 Switch# show sessions 

All open sessions from your connection to the local switch are listed, along with connection numbers. You can also use the where command to get the same information.

e. Return to a specific session

First, use the show sessions command to get the connection number of the desired session. Then, just type the connection number by itself on the command line. The session will be reactivated. You can also just press Return/Enter at the command-line prompt and the last active connection in the list will be reactivated. The last active connection in the list is denoted with the asterisk (*). This makes toggling between the local switch and a single remote session easier.

NOTE

When you resume the connection, you are prompted with the message "[Resuming connection 2 to Switch ... ]." After you've resumed your connection, the message shown here does not change and the switch does not display a prompt. Therefore, you must press Enter again to actually resume the connection and get a device prompt.

f. End an active session

 Switch2#Ctrl-^ x Switch1# disconnect connection-number 

When the remote session is suspended, you can use the disconnect command to end the session and close the Telnet connection. Otherwise, your session remains open until the remote host times the connection out (if at all).

g. Terminal screen format

- Set the screen size for the current session only

 Switch#terminal length lines Switch# terminal width characters 

- Set the screen size for all sessions

 Switch(config-line)# length lines Switch(config-line)# width characters 

The screen is formatted to characters wide by lines high. When the number of lines of output from a command exceeds lines, the --More-- prompt is used. If you don't want the output displayed by page with --More--, use length 0. The default length for sessions is 24 lines and the default width for settings is 80 characters.

h. Configure session timeout values

- Define an absolute timeout for a line

 Switch(config-line)# absolute-timeout minutes 

All active sessions on the line are terminated after minutes have elapsed. (Default is 0 minutes, or an indefinite session timeout.)

- Define an idle timeout for a line

 Switch(config-line)# session-timeout minutes [output] 

All active sessions on the line are terminated only if they have been idle for minutes. (Default is 0 minutes, or an indefinite idle timeout.) The output keyword causes the idle timer to be reset by outbound traffic on the line, keeping the connection up.

- Define an idle timeout for all EXEC mode sessions

 Switch(config-line)# exec-timeout minutes [seconds] 

Active EXEC mode sessions are automatically closed after an idle time period of minutes and seconds (default 10 minutes). To disable idle EXEC timeouts on the line, use the no exec-timeout or exec-timeout 0 0 command.

- Enable session timeout warnings

 Switch(config-line)# logout-warning [seconds] 

Users are warned of an impending logout seconds before it occurs. By default, no warning is given. If the seconds field is left off, it defaults to 20 seconds.

4.

Web browser interface

a. Enable the web interface

 Switch(config)# ip http server 

The web interface server is started, enabling users to monitor or configure the switch through a web browser.

NOTE

The switch web interface should not be used for access from a public (Internet) network, because of a major vulnerability with the HTTP server service. This vulnerability is documented as Cisco Bug ID CSCdt93862. To disable the HTTP server, use the no ip http-server command. In addition to this bug, the default authentication uses clear-text passwords. If you must use the web interface, make sure to configure a stronger authentication method and limit access in Steps c and d that follow.

b. (Optional) Set the web browser port number

 Switch(config)# ip http port number 

HTTP traffic for the web interface can be set to use TCP port number (default 80).

c. (Optional) Limit access to the web interface

 Switch(config)# ip http access-class access-list 

A standard IP access list (specified by either number or name) can be used to limit the source IP addresses of hosts accessing the web interface. This should be used to narrow the range of potential users accessing the switch's web interface.

d. (Optional) Choose a method for user authentication

 Switch(config)# ip http authentication {aaa | enable | local | tacacs} 

Users attempting to access the switch's web interface can be challenged and authenticated with several different mechanisms. By default, the enable method (the clear-text enable password must be entered) is used for authentication. You should use one of the stronger authentication methods: aaa, local (authentication is performed locally on the switch, using usernames and passwords), and tacacs (standard or extended TACACS authentication).

e. View the switch's home page

From a web browser, use the URL http://switch/, where switch can be the switch's IP address or host name. The default switch home page is available to users with a privilege level of 15. Only IOS commands available to lesser-privilege levels are available to those users limited to a privilege level less than 15.