Switch ManagementManaging a Catalyst switch can be broken up into several topics. A switch runs an operating system, which provides a user interface and controls all processes that are used to forward packets. The following sections address all these topics. Operating SystemsYou can configure Cisco Catalyst switch devices to support many different requirements and features. When a PC is connected to the serial console port, configuration generally is done with a terminal emulator application on the PC. You can perform further configurations through a Telnet session across the LAN or through a web-based interface. These topics are covered in later sections. Catalyst switches support one of two operating systems, each with a different type of user interface for configuration:
Note The Catalyst OS is mentioned here only for comparison. It is not covered in detail in the BCMSN 3.0 course; therefore, it is not covered in this text. For more information about Catalyst OS comparisons and side-by-side configuration commands, refer to these sources: Cisco Field Manual: Catalyst Switch Configuration, by David Hucaby and Steve McQuerry, Cisco Press, ISBN 1-58705-043-9 Comparison of the Cisco Catalyst and Cisco IOS Operating Systems for the Cisco Catalyst 6500 Series Switch, at http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c8441.shtml Generally, you are provided with an interface where you can issue commands, such as show, to display many different types of information about the switch, its configuration, and dynamic operation. This is called user EXEC mode. Users are given access to various commands, according to their privilege level, ranging from Level 1 through Level 15. By default, a user is given Level 1. To make any configuration changes, a user must enter a higher level, such as Level 15, through the enable command. When in the privileged EXEC or enable mode, you can make configuration changes using the config command. Configuration is performed in layers, starting with the global configuration. Each time you select a specific item to configure in global configuration mode, you are moved into that respective configuration mode. The switch prompt changes to give you a clue about your current mode. For example, normal or user EXEC mode generally is shown with the name of the switch followed by a greater-than (>) character. Privileged EXEC (enable) mode replaces the > with a hash or pound sign (#). Global configuration is shown as the switch name followed by (config). If you select an interface to configure, you enter interface configuration mode, signified by (config-if). Basically, if you are familiar with router EXEC and configuration commands and the IOS user interface, you will be comfortable working with the Catalyst IOS Software. Identifying the SwitchAll switches come from the factory with a default configuration and a default system name or prompt. You can change this name so that each switch in a campus network has a unique identity. This option is useful when you are using Telnet to move from switch to switch in a network. To change the host or system name, enter the following command in configuration mode: Switch(config)# hostname hostname The host name is a string of 1 to 255 alphanumeric characters. As soon as this command is executed, the system prompt changes to reflect the new host name. Note Configuration changes made on Cisco IOS-based switches apply only to the active running configuration, stored in RAM. To make the changes permanent, in effect even after a power cycle, remember to copy the switch configuration into the startup configuration, stored in NVRAM. This is discussed in the "Switch File Management" section of this chapter. Passwords and User AccessNormally, a network device should be configured to secure it from unauthorized access. Administrative users can connect to Catalyst switches through an asynchronous serial console port, Telnet sessions, rlogin (remote login), and SSH (secure shell). Catalyst switches offer a simple form of security by setting passwords to restrict who can log in to the user interface. Two levels of user access are available: regular login, or user EXEC mode, and enable login, or privileged EXEC mode. User EXEC mode is the first level of access, which gives access to the basic user interface through any line or the console port. Privileged EXEC mode requires a second password and gives access to set or change switch operating parameters or configurations. Cisco offers various methods for providing device security and user authentication. Many of these methods are more secure and robust than using the login passwords. Chapter 17, "Securing Switch Access," describes these features in greater detail. To set the login passwords for user EXEC mode, enter the following commands in global configuration mode: Switch(config)# line con 0 Switch(config-line)# password password Switch(config-line)# login Switch(config)# line vty 0 15 Switch(config-line)# password password Switch(config-line)# login Switch(config)# enable secret enable-password Here, the user EXEC mode password is set on the console (line con 0) and on all the virtual terminal (line vty 0 15) lines used for Telnet access. The enable mode password (enable secret), which automatically is encrypted when set, is a global value for all users. The user EXEC password is a string of 1 to 80 alphanumeric characters. The enable secret password is a string of 1 to 25 alphanumeric characters. All passwords are case sensitive. You can change the passwords by reconfiguring the passwords with different strings. To completely remove a password, use the no password or no enable secret command in the appropriate line-configuration mode. Password RecoveryAfter the EXEC and enable passwords are configured, there is always a chance that you could forget them. You also might inherit a switch that has its passwords set to unknown values. In this case, you must take the switch through a password-recovery procedure. The procedure varies among the different Catalyst switch families. Refer to the following documents:
For a complete list of password-recovery procedures for any model of Cisco equipment, refer to the handy Password Recovery Procedures technical tip at http://www.cisco.com/warp/public/474/. Tip Although password recovery is not covered explicitly in the BCMSN course (nor is likely in the CCNP BCMSN exam), you should be aware of the concepts needed to regain access to a switch. Remote AccessBy default, the switch allows user access only via the console port. To use Telnet to access a switch from within the campus network, to use ping to test a switch's reachability, or to monitor a switch by SNMP, you must configure for remote access. Even if a switch operates at Layer 2, the switch supervisor processor must maintain an IP stack at Layer 3 for administrative purposes. An IP address and subnet mask then can be assigned to the switch so that remote communications with the switch supervisor are possible. By default, all ports on a switch are assigned to the same virtual LAN (VLAN) or broadcast domain. The switch supervisor and its IP stack must be assigned to a VLAN before remote Telnet and ping sessions will be supported. VLANs are discussed further in Chapter 6, "VLANs and Trunks." You can assign an IP address to the management VLAN (default is VLAN 1) with the following commands in global configuration mode: Switch(config)# interface vlan vlan-id Switch(config-if)# ip address ip-address netmask Switch(config-if)# ip default-gateway ip-address Switch(config-if)# no shutdown As demonstrated by the preceding command syntax, an IP address and subnet mask are assigned to the VLAN "interface," which is really the switch supervisor's IP stack listening on VLAN number vlan-id. Any VLAN number can be used, as long as the VLAN has been defined and is active (in use on a physical switch interface). To send packets off that local VLAN subnet, a default gateway IP address also must be assigned. This default gateway has nothing to do with processing packets that are passed through the switch; the default gateway is used only to forward traffic between a user and the switch supervisor for management purposes. (This concept can be expanded greatly on a Layer 3 switch, which can perform its own "routing" functions and can use dynamic routing protocols.) Interswitch Communication: Cisco Discovery ProtocolBecause switch devices usually are interconnected, management is simplified if the switches can communicate on some level to become aware of each other. Cisco has implemented protocols on its devices so that neighboring Cisco equipment can be found and identified. Cisco uses a proprietary protocol on both switches and routers to discover neighboring devices. You can enable the Cisco Discovery Protocol (CDP) on interfaces to periodically advertise the existence of a device and exchange basic information with directly connected neighbors. The information exchanged in CDP messages includes the device type, software version, links between devices, and number of ports within each device. By default, CDP runs on each port of a Catalyst switch, and CDP advertisements occur every 60 seconds. CDP communication occurs at the data link layer so that it is independent of any network layer protocol that might be running on a network segment. This means that CDP can be sent and received using only Layer 2 functionality. CDP frames are sent as multicasts, using a destination MAC address of 01:00:0c:cc:cc:cc. Cisco Catalyst switches regard the CDP address as a special address designating a multicast frame that should not be forwarded. Instead, CDP multicast frames are redirected to the switch's management port and are processed by the switch supervisor alone. Cisco switches become aware only of other directly connected Cisco devices. CDP is enabled by default on all switch interfaces. To manually enable or disable CDP on an interface, use the following interface-configuration command: Switch(config-if)# [no] cdp enable If a switch port connects to a non-Cisco device or to a network outside your administrative control, consider disabling CDP on that port. Add the no keyword to disable CDP. Switch File ManagementA Catalyst switch uses several types of files while it is operating. To manage a switch, you should understand what type of file is used for what purpose, how to move these files, and how to upgrade them. The following files typically are used in a Catalyst switch:
All Catalyst files can be stored in various file systems so that they can be accessed and used by the switch hardware. Files also can be stored in file systems external to the switch, either as backup copies or as downloadable upgrades. The typical file systems available to a Catalyst switch are as follows:
OS Image FilesThe Catalyst IOS Software is packaged as an IOS image file, just as it is for routers. IOS image files are stored in the Flash memory on a switch. Only one image file can be executed while the switch is running, but more than one image file can be stored on the switch. Switches such as the Catalyst 2970 and 3750 have one Flash area where images are stored. This is always named flash:. Larger, more modular switches can have several Flash file systems. For example, a Catalyst 4500 has one named cat4000_flash: that contains the VLAN database file and another called bootflash: that contains the IOS image and bootstrap image files. Flash memory also can be present in the form of a PCMCIA card, so stored files can be swapped out by replacing the Flash card. These cards are named slot0:, slot1:, and so on. You can copy IOS image files from one file system to another or to an external location. This allows an image file to be backed up in case of a switch failure. Image files also can be copied into the switch Flash file system so that the software version can be upgraded. Filename ConventionsIOS image files are named according to a predefined format. The filenames follow this basic template:
Configuration FilesThe switch configuration is a file containing all the commands needed to configure each switch feature and function. Here are three of the most common configuration files:
Other Catalyst Switch FilesYou can find several other files stored in the file systems on a Catalyst switch. Most of the time, you will not need to do anything with them. They are mentioned here for your understanding and in case you need to access the information they contain. These files can include the following:
Moving Catalyst Switch FilesA switch can copy files to and from various locations, including those in Table 4-2.
Cisco IOS Software allows you to navigate and manipulate the Flash file system in much the same way other operating systems, such as UNIX and DOS, do. In Flash memory, you can find plain-text files, binary executable files, and directories. You are free to "move" up and down into directories. You also can copy, rename, or delete files. In the EXEC mode, you always are positioned in the "root" directory, flash:, by default. To perform a function in the Flash file system, use one of the following commands:
You also can manipulate the switch-configuration files from privileged EXEC (enable) mode. Remember that two configuration files exist at all timesrunning-config and startup-config. Any configuration changes that you make to a switch are applied immediately to the running-config file. The only way to update the startup-config is by manually copying another file to it. Cisco IOS Software allows the following commands to manipulate the configuration files:
Troubleshooting from the Operating SystemThe Cisco Catalyst IOS Software provides many commands that can verify or troubleshoot a switch in its current environment. Sometimes you might wonder what software image or configuration commands are being used by a switch. A switch also can produce real-time debugging information about a feature or condition to aid in troubleshooting. Information is also available to help identify other neighboring Cisco devices in a network. This section explains each of these tasks and how to accomplish them using the relevant commands. Displaying Configuration and File ContentsCisco IOS Software offers many commands that you can use from the EXEC mode command line to display the contents of files, current configuration states, and values for troubleshooting. You can use the following commands to view and troubleshoot switch files and file systems:
Note You can filter the output of any show command so that you see only lines containing specific keywords. Append the "pipe" symbol (|) to the command line, followed by one of these keywords: begin text (start the output with the line containing text), include text (display only lines that contain text), or exclude text (display only lines that don't contain text). When a large amount of output is displayed, the switch usually shows a page at a time, pausing with a "-More-" prompt. You can press either the Space key to display the next page, the Return (Enter) key to display the next line, or /text to search forward and begin the page of output at the line containing text. Using the slash key allows a quick search within the context of the entire output. Debugging OutputFor more focused and real-time information about a certain switch feature, you can use the debug EXEC command. Debug output is not used normally, unless you suspect a problem with a feature or an interaction with other switches in the network. You can use many options with the debug command, each pertaining to a switch feature or a specific activity. Type the debug command followed by ? to get context-based help on all the supported debugging commands and keywords. After you enable a debug command, you can see the debug output listed as events occur on the switch. Caution Use the debug commands cautiously because they can generate a tremendous amount of output. Not only can this display slowly on a serial console connection, but the debug process itself also can bog down the switch CPU to the point that it severely impacts traffic forwarding. Always be sure to turn off any debugging commands when you finish with them by using the no debug options command, where the options keywords match the ones you used to enable debugging. To quickly disable all active debugging commands, use the no debug all or undebug all commands. Viewing CDP InformationTo view information learned from CDP advertisements of neighboring Cisco devices, use one of the following commands: Switch# show cdp interface [type mod/num] Switch# show cdp neighbors [type mod/num | vlan vlan-id] [detail] The first command displays CDP information pertaining to a specific interface. If the type, module, and port information is omitted, CDP information from all interfaces is listed. The second command displays CDP information about neighboring Cisco devices. A specific interface or VLAN can be given to display only neighbors connected to it. Using the detail keyword results in the display of all possible CDP information about each neighbor. Recall that CDP messages are sent out every 60 seconds, and all entries received are placed in a cache. The cache is updated with new entries, and stale entries are aged out after a hold time of 180 seconds. If you suspect a problem with a neighboring switch, you might want to clear the CDP cache of all potentially stale information to see what new information is being received from neighbors. Do this with the clear cdp table command. As demonstrated in Example 4-1, the show cdp neighbors and the show cdp neighbors detail commands can be useful when you are connected to a switch and need to know more about what other switches are nearby in a network. Particularly useful are the IP address entries, allowing Telnet access to previously unknown switches. To see a brief listing of only the neighbor switch names and their management IP addresses, use the show cdp entry * protocol command. Example 4-1. Displaying CDP Information for Neighboring DevicesSwitch# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID BuildingA-1 Gig 2/1 158 S I WS-C3550-4Gig 0/1 CoreSwitch-1 Gig 1/1 158 T S Cat 6000 Gig 3/1 Switch# show cdp neighbors gig 1/1 detail ------------------------- Device ID: CoreSwitch-1 Entry address(es): IP address: 192.168.199.9 Platform: cisco Catalyst 6000, Capabilities: Router Switch IGMP Interface: GigabitEthernet1/1, Port ID (outgoing port): GigabitEthernet3/1 Holdtime : 136 sec Version : Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JK9SV-M), Version 12.2(14)SY4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright 1986-2004 by cisco Systems, Inc. Compiled Wed 31-Mar-04 10:50 by kellmill Switch# show cdp entry * protocol Protocol information for BuildingA-1 : IP address: 192.168.199.107 Protocol information for CoreSwitch-1 : IP address: 192.168.199.9 Switch# |