The new range of Cisco switches—the 2950 and 3550—run a version of IOS. This makes configuring the switch very similar to configuring a router. The 4000 series is still set based, which means you use the command set to configure the router. Throughout the rest of this book, we’ll show you commands for these switches.
As a general guideline, you would be expected to use the 2950 as an access-layer switch (because of its cheap per-port cost) and then utilize the more powerful 3550 at the distribution layer. Although these are only rough guidelines, the 3550 does support an internal routing option, which gives it the additional features essential in a modern distribution switch, and the 2950 has a number of different port types and densities, which provide relatively cheap connections for desktop PCs.
There are two types of operating systems that run on Cisco switches:
IOS based You can configure the Catalyst 2950 and 3550 switches from a command-line interface (CLI) that is almost identical to the one used on Cisco routers. The only differences are some of the commands, which are switch-specific.
Set based Uses older, set-based CLI configuration commands. The current Cisco switches that use the set-based commands are the 4000 and the 6000 series.
You can physically connect to a Cisco Catalyst switch by connecting either to the console port or an Ethernet port, just as you would with a router.
The 2950, 3550, and 4000 series switches all have a console port on the back, which is an RJ- 45 port. The console cables for these switches are rolled cables. (Older 5000 series switches have a console connector that uses only an RS-232-type connector, which comes with the switch when purchased).
After you connect to the console port, you need to start a terminal emulation program, such as HyperTerminal in Windows. The settings are as follows:
8 data bits
1 stop bit
No flow control
Do not connect an Ethernet cable, ISDN, or live telephone line into the console port. The voltage levels are higher and the result may well be a burned-out console port.
The Catalyst 2950 and 3550 series switches have a number of different arrangements of ports. They are not modular in the sense that the 4000 series switches are. All ports are at least 10/100, and some also support 1000 Mb/sec. Connecting hosts to any of these ports requires a straight-through cable, but to connect the ports to another switch as an uplink, you must use a crossover cable.
The Catalyst 4000 switches can run either 10Mbps or 100Mbps on any port, depending on the type of cards you buy. Gigabit cards are also available. The supervisor cards always take the first slot and have two FastEthernet or Gigabit Ethernet ports for uplinks using either copper or fiber. All devices connected into either the 2950/3550 or 4000 series switches must be within 100 meters (330 feet) of the switch port.
When connecting devices such as workstations, servers, printers, and routers to the switch, you must use a straight-through cable. Use a crossover cable to connect between switches.
When a device is connected to a port, the port status LED light (also called the port link LED or link state LED) on the switching module panel comes on and stays on. If the light does not come on, the other end might be off or there might be a cable problem. Also, if a light comes on and off, a speed matching or duplex problem may exist. I’ll show you how to check that in the next section.
The 4000 series switch loads the software image from flash, and then asks you to enter a password, even if there isn’t one set. Press Enter and you will see a Console > prompt. At this point, you can enter Enable mode and configure the switch by using set commands:
BOOTROM Version 5.1(2), Dated Apr 26 1999 10:41:04 BOOT date: 08/02/02 BOOT time: 08:49:03 Uncompressing NMP image. This will take a minute… Downloading epld sram device please wait … Programming successful for Altera 10K10 SRAM EPLD Updating epld flash version from 0000 to 0600 Cisco Systems Console Enter password: [Press return here] 2001 Mar 22 22:22:56 %SYS-5-MOD_OK:Module 1 is online 2001 Mar 22 22:23:06 %SYS-5-MOD_OK:Module 2 is online Console>
When you connect to the 2950 console, the IOS is booted. As the switch boots, it will show diagnostics on the screen. It displays the version of code, information about the flash storage, various part and serial numbers, and so on. If there is no saved configuration file, you are presented with an option to enter the basic configuration using a process called setup.
System serial number: FOC0650W11A --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:
If you enter yes, then the following menu is displayed:
Would you like to enter the initial configuration dialog? [yes/no]: yes At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets ''. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]:
The menu is self-explanatory, but quite limited. You can set the switch name, enter passwords, set up vlan1 and assign IP addresses to interfaces. The rest of the configurations are defaults, and to be honest, it is rare for anyone to use this method of configuration.
You can exit the setup mode at any time using the Ctrl+C key entry, and you can enter the setup mode from the privileged mode by entering the command setup.
The alternative is to answer no to the option to enter setup, and then you are presented with the user-mode switch prompt (the initial name of the switch is, unsurprisingly, switch).
No passwords are set, and entering the command word enable will take you to the privileged prompt.
In this section, you’ll learn how to configure the basics on both types of switches. Specifically, you’ll learn how to do the following:
Set the passwords.
Set the hostname.
Configure the IP address and subnet mask.
Identify the interfaces.
Set a description on the interfaces.
Configure the port speed and duplex.
Verify the configuration.
Erase the switch configuration.
The first thing you should do is configure the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user-mode and privileged-mode passwords, just as you can with a router. However, you use different commands.
As with any Cisco router, the login (user-mode) password can be used to verify authorization of the switch, including Telnet and the console port. The enable password is used to allow access to the switch so the configuration can be viewed or changed.
To configure the two passwords on a 4000 series switch, use the command set password for the user-mode password and the command set enablepass for the enable password:
2001 Mar 21 06:31:54 %SYS-5-MOD_OK:Module 1 is online 2001 Mar 21 06:31:54 %SYS-5-MOD_OK:Module 2 is online Console> en Enter password: Console> (enable) set password ? Usage: set password Console> (enable) set password [Press enter] Enter old password: Enter new password: Retype new password: Password changed.
When you see the Enter old password prompt, you can leave it blank and press Enter if you don’t have a password set. The output for the Enter new password prompt doesn’t show on the console screen. If you want to clear the user-mode (login) password, type in the old password and then just press Enter when you’re asked for a new password.
To set the enable password, use the command set enablepass and then press Enter:
Console> (enable) set enablepass Enter old password: Enter new password: Retype new password: Password changed. Console> (enable)
You can type exit at this point to log out of the switch completely, which will enable you to test your new passwords.
The commands for setting the passwords are the same as for a router. Those of you used to configuring the password levels on a 1900 switch will find that they are optional on an IOS-based device. The enable secret password supersedes the enable password and automatically encrypts the displayed password by default.
Switch>enable Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#enable ? last-resort Define enable action if no TACACS servers respond password Assign the privileged level password secret Assign the privileged level secret use-tacacs Use TACACS to check enable passwords
As you can see from the script, the password can be set locally or can be assigned using a protocol called TACACS.
Switch(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 5 Specifies an ENCRYPTED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password
Entering the password with no additional options causes the password to be encrypted automatically, thus preventing it from being read by unauthorized viewers. You can see that san-fran has become $1$dytq$lj7l6VJbtocypNs1DgW2X.
Switch(config)#enable secret san-fran Switch(config)#^Z Switch#show running-config Building configuration… Current configuration : 1404 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! enable secret 5 $1$dytq$lj7l6VJbtocypNs1DgW2X. !
Because the enable secret password takes precedence over the standard enable password, it is common practice for many users to set only the enable secret. More complex security is commonly obtained using TACACS.
The remote access telnet (vty) password prevents unauthorized access by other network users. By default, this is disabled, and the show running-config command will display no vty numbers. The passwords are set using the line mode, after which they will appear.
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#line vty 0 4 Switch(config-line)#login % Login disabled on line 1, until 'password' is set % Login disabled on line 2, until 'password' is set % Login disabled on line 3, until 'password' is set % Login disabled on line 4, until 'password' is set % Login disabled on line 5, until 'password' is set Switch(config-line)#password telnet Switch(config-line)#^Z Switch#
Now the running configuration displays both the lines configured for access and the password.
Switch#show running-config Building configuration… Current configuration : 1448 bytes output omitted line con 0 line vty 0 4 password telnet login line vty 5 15 login ! end
The hostname on a switch, as well as on a router, is only locally significant. A good rule of thumb is to name the switch after the location it is serving.
In this case, this means that it doesn’t have any function whatsoever on the network or for name resolution. However, it is helpful to set a hostname on a switch so you can identify the switch when connecting to it.
The switch command to set the hostname is exactly as it is with any router. The 2950 and 3550 begin life with a device name of “Switch.” Setting the hostname is simple.
switch# switch#conf t Enter configuration commands, one per line. End with CNTL/Z. switch(config)#hostname Terry_2950 Terry_2950(config)#^Z Terry_2950#
You do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, as they do on a hub. IP address information is set so that you can either manage the switch via Telnet or other management software or configure the switch with different VLANs and other network functions.
To set the IP address information on a 4000 series switch, configure the supervisor engine that is plugged into slot 1 of every switch. This is called the in-band logical interface. Use the command set interface sc0:
Terry_4000> (enable) set interface sc0 172.16.10.17 255.255.255.0 Interface sc0 IP address and netmask set.
By default, the switch is configured for VLAN 1, which can be seen by using the show interface command. Notice also that the broadcast address for the subnet shows up and that you can change it by entering it with the set interface sc0 command (but we can think of only one reason that you would want to change it—to mess with the people in your MIS department):
Terry_4000> (enable) show interface sl0: flags=51<UP,POINTOPOINT,RUNNING> slip 0.0.0.0 dest 0.0.0.0 sc0: flags=63<UP,BROADCAST,RUNNING> vlan 1 inet 172.16.10.17 netmask 255.255.255.0 broadcast 172.16.10.255 Terry_4000> (enable)
The command set interface sl0 ip_address mask would be used for modem access to the switch. This enables addressing on the Serial Line Internet Protocol (SLIP) process. Before accessing the switch via a modem, the modem process must be enabled on the switch by using the set system modem enable command. The modem operates at a speed of 9600bps by default
Many organizations have a large number of switches that need to be managed, and administrators often need access directly to the console port for remote management. A setup that allows remote access direct to the console port is desirable because some problems will prevent telnet or management access, which means you have to physically be there. Not something you want to do at 3 a.m.!
Rather than installing several modems and telephone lines, consider an access server. A 3600 with asynchronous modules, for example, can have over 100 such connections for up to 16 devices at a time and also allow for security features such as a RADIUS or TACACS+ authentication server or an IOS firewall configuration.
Cisco recommends that you use VLAN 1 for management of the switch device and then create other VLANs for users. By default, all interfaces are in VLAN 1, supporting the plug-and-play operation of switches. To set the IP configuration, you should use the command ip address in interface mode, as shown next:
Terry_2950#conf t Enter configuration commands, one per line. End with CNTL/Z. Terry_2950 (config)#int vlan 1 Terry_2950 (config-if)#ip address 172.16.1.1 255.255.255.0 Terry_2950(config-if)#no shut Terry_2950 (config-if)#^Z Terry_2950#
Don’t worry just yet what a VLAN is; we will be covering that in Chapter 4, “Layer 2 Switching and the Spanning Tree Protocol (STP).” For the moment, just concentrate on getting the switch up and running, using as many defaults as possible.
Remember that as far as IP is concerned, the switch is simply another host. This means that the default gateway should also be set, and the command is ip default-gateway, which is a global- mode command:
Terry_2950(config)#ip default-gateway 172.16.1.254 Terry_2950(config)#^Z Terry_2950# Terry_2950#sho run Building configuration… [output cut] interface Vlan1 ip address 172.16.1.1 255.255.255.0 no ip route-cache ! ip default-gateway 172.16.1.254 ip http server ! Terry_2950#
It is important to understand how to access switch ports. The 4000 series uses the slot/port command. The IOS-based switches use the type slot/port command.
You can use the show command to view port statistics on a 4000 switch. Notice that, by default, the duplex and speed of the port are both set to auto. Also, typically the ports on a 4000 and 6000 series switch can be enabled, but it might be necessary to configure the ports so that they can be enabled with the set port enable command. You can turn off any port with the set port disable command:
Terry_4000> (enable) show port ? Usage: show port show port <mod_num> show port <mod_num/port_num> Terry_4000> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- -------------- ----------- ------- ------------ 2/1 connect 2 normal auto auto 10/100BaseTX Terry_4000> (enable) set port disable 2/1 Port 2/1 disabled. Terry_4000> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- ---------------- -------- ------- ------ ------------ 2/1 disabled 1 normal auto auto 10/100BaseTX Terry_4000> (enable) set port enable 2/1 Port 2/1 enabled. Terry_4000> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ---- ------ --------- ---------- ----- ------- ------------ 2/1 connect 1 normal auto auto 10/100BaseTX
The command show config displays the complete current configuration of the set-based switch.
These switches take the type slot/port command with either the interface command or the show command. The interface command enables you to set interface-specific configurations. As the range of 2950 and 3550 switches increases, it may be that several slots are available. The following example demonstrates a 2950:
Terry_2950#config t Enter configuration commands, one per line. End with CNTL/Z Terry_2950(config)#interface fastEthernet ? <0-2> FastEthernet interface number Terry_2950(config)#interface fastEthernet 0/? <1-24> FastEthernet interface number Terry_2950(config)#interface fastEthernet 0/1 Terry_2950(config-if)#? Interface configuration commands: arp Set arp type (arpa, probe, snap) or timeout bandwidth Set bandwidth informational parameter carrier-delay Specify delay for interface transitions cdp CDP interface subcommands [output cut] spanning-tree Spanning Tree Subsystem speed Configure speed operation. storm-control storm configuration switchport Set switching mode characteristics timeout Define timeout values for this interface
To configure the FastEthernet ports, the command is interface fastethernet 0/#.
You can switch between interfaces by using the interface fa 0/# command. Notice that we demonstrate the following commands with spaces or without—it makes no difference.
Terry_2950(config-if)#interface fa 0/2 Terry_2950(config-if)#interface fa0/3 Terry_2950(config-if)#exit
You can view the ports with the show interface command:
Terry_2950#show interface fa0/1 FastEthernet0/1 is down, line protocol is down Hardware is Fast Ethernet, address is 000b.be53.2c01 (bia 000b.be53.2c01) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed input flow-control is off, output flow-control is off [output cut]
You can set a description on an interface, which will enable you to administratively set a name for each interface. As with the hostname, the descriptions are only locally significant.
To set a description for the 4000 switch, use the set port name slot/port command. Spaces are allowed. You can set a name up to 21 characters long:
Terry_4000> (enable) set port name 2/1 Sales Printer Port 2/1 name set. Terry_4000> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- ------------- -------- ---- ----- ------- ------ ----- 2/1 Sales Printer notconnect 2 normal auto auto 10/100BaseTX
For the 2950 and 3550 series switches, use the description command. You can not use spaces with the description command, but you can use underscores if you need to:
Terry_2950#config t Enter configuration commands, one per line. End with CNTL/Z. Terry_2950(config)#interface fa0/1 Terry_2950(config-if)#description Finance_VLAN Terry_2950(config-if)#interface fa0/2 Terry_2950(config-if)#description trunk_to_Building_4 Terry_2950(config-if)#
You can view the descriptions with either the show interface command or the show running- config command:
Terry_2950#sho run Building configuration… Current configuration : 1387 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Terry_2950 ! ip subnet-zero ! spanning-tree extend system-id ! interface FastEthernet0/1 description Finance_VLAN no ip address ! interface FastEthernet0/1 description trunk_to_Building_4 no ip address [output cut]
By default, all 10/100 ports on the 2950, 3550, and 4000 are set to auto-detect the speed and duplex of the port.
Because the ports on a 10/100 card are auto-detect, you don’t necessarily have to set the speed and duplex. However, there are situations where the auto-detect does not work correctly, and by setting the speed and duplex, you can stabilize the link:
Terry_4000> (enable) set port speed 2/1 ? Usage: set port speed <mod_num/port_num> <4|10|16|100|auto> Terry_4000> (enable) set port speed 2/1 100 Port(s) 2/1 speed set to 100Mbps.
If you set the port speed to auto, both the speed and duplex are set to auto-negotiate the link. You can’t set the duplex without first setting the speed:
Terry_4000> (enable) set port duplex 2/1 ? Usage: set port duplex <mod_num/port_num> <full|half> Terry_4000> (enable) set port duplex 2/1 full Port(s) 2/1 set to full-duplex. Terry_4000> (enable) ^C
Notice that the command Ctrl+C was used in the preceding code. This is a break sequence used on both types of switches.
You can view the duplex and speed with the show port command:
Terry_4000> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- ------------- ---------- ----- ------ ------- ----- ----- 2/1 Sales Printer notconnect 2 normal full 100 10/100BaseTX
You can configure multiple options on any port. Speed can be set to 10, 100, or auto, and duplex can be set to half, full, or auto. You can not configure duplex to full if the speed is on auto. Here is an example from a 2950:
Terry_2950(config)#int fa0/1 Terry_2950(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration Terry_2950(config-if)#speed 100 Terry_2950(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation Terry_2950(config-if)#duplex full Terry_2950(config-if)#^Z Terry_2950# Terry_2950#sho int fa0/1 FastEthernet0/1 is down, line protocol is down Hardware is Fast Ethernet, address is 000b.be53.2c01 (bia 000b.be53.2c01) Description: Finance_VLAN MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s
It is important to test the switch IP configuration. You can use the “big three” tests of ping, trace, and telnet on all IOS-based switches and the 4000 and 6000 as well.
Use the IP utilities Ping, Telnet, and Traceroute to test the switch in the network:
Terry_4000> (enable) ping 172.16.10.10 172.16.10.10 is alive Terry_4000> (enable) telnet ? Usage: telnet <host> [port] (host is IP alias or IP address in dot notation: a.b.c.d) Terry_4000> (enable) traceroute Usage: traceroute [-n] [-w wait] [-i initial_ttl] [-m max_ttl] [-p dest_port] [-q nqueries] [-t tos] host [data_size] (wait = 1..300, initial_ttl = 1..255, max_ttl = 1..255 dest_port = 1..65535, nqueries = 1..1000, tos = 0..255 data_size = 0..1420, host is IP alias or IP address in dot notation: a.b.c.d)
You can use the keystrokes Ctrl+Shift+6, then X, as an escape sequence.
You can use the Ping and Trace programs, and you can telnet into and out of any of the switches, as long as a password has been set up.
Terry_2950#ping 172.16.10.10 Sending 5, 100-byte ICMP Echos to 172.16.10.10, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
You can omit the word telnet and just enter the hostname or IP address of the target host, if you wish.
Terry_2950#conf t Terry_2950(config)#ip host jack 172.16.10.10 Terry_2950(config)#^Z Terry_2950#ping jack Sending 5, 100-byte ICMP Echos to 172.16.10.10, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ms
If the ping test doesn’t work, make sure IP addressing and gateways are set up correctly. If they are, and no other part of the network is having problems, there is a good chance that the problem has to do with the Physical layer.
When testing Physical layer connectivity, it is important to focus the tests on the cabling and on the interfaces. In those instances when it is possible, test the port on the switch by plugging in a laptop directly. Plugging the patch cord into a different port can test the cable inside the wall. Finally, test the NIC by plugging the PC into a different cable run and port.
The IOS-based switches hold their configuration in the running-config file. Using the command copy running-config startup-config copies this file to nonvolatile RAM (NVRAM), where it is saved as the startup-config file. The 4000 series switches automatically copy their configuration to NVRAM. You can delete the configurations if you want to start over.
It is also common to back up the configuration files on a TFTP server—despite your best efforts, things will go wrong at some time in any network. First, make sure that the TFTP server is available, using the ping command. Ensure that access to the server directory is authorized, and then enter the command copy running-config (or copy startup-config) tftp. A small menu follows, prompting you for the server IP address and filename to be stored.
The command show running-config (abbreviated here to show run), displays the configuration file the switch is currently implementing.
Terry_2950#show run Building configuration… Current configuration : 1411 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Terry_2950 ! [output cut]
The command show startup-config (abbreviated here to show star), displays the configuration file the switch has saved in NVRAM. It follows that this is the file that will be implemented when the switch is next started. Note that the two displays are slightly different.
Terry_2950#show star Using 1411 out of 32768 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Terry_2950 ! [output cut]
To delete the startup configuration file, use the command erase startup-config. This will require a reboot of the switch to arrive at an empty configuration file. You can not erase the running config.
Terry_2950#erase ? flash: Filesystem to be erased nvram: Filesystem to be erased startup-config Erase contents of configuration memory
To delete the configurations stored in NVRAM on the 4000 series switch, use the clear config all command. The erase all command deletes the contents of flash without warning. Be careful! Here is the code:
Terry_4000> (enable) clear config ? Usage: clear config all clear config <mod_num> clear config rmon clear config extendedrmon Terry_4000> (enable) clear config all This command will clear all configuration in NVRAM. This command will cause ifIndex to be reassigned on the next system startup. Do you want to continue (y/n) [n]? y System configuration cleared.
To delete the contents of flash, use the erase all command:
Terry_4000> (enable) erase all FLASH on Catalyst: Type Address Location Intel 28F016 20000000 NMP (P3) 8MB SIM Erasing flash sector… Terry_4000> (enable) Terry_4000> (enable) show flash File Version Sector Size Built --------- -------------- -------- ------- -------
Notice that when you type erase all and press Enter, the switch just starts erasing the flash and you can’t break out of it. By using a show flash command, you can see that the contents of flash are now empty. You might not want to try this on your production switches. You can use the copy tftp flash command to reload the software.