Overblog
Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Recent posts

The Different Types of Ethernet Switches

February 1 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall, #c

More about the Types of Cisco Switches:

More about the Types of Cisco Switches:

There are two main categories of Ethernet Switches: Modular and Fixed Configuration.

What are the Exact Modular and Fixed Configuration switches?

Modular switches, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans.

Good examples of Modular switches: Cisco Catalyst 4K and Catalyst 6K.

Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable.

Good Examples of Fixed Configuration Switches: Cisco Catalyst 2K, Catalyst 3K and the Cisco 300/500 series.

The Fixed configuration switch category is further broken down into:

– Unmanaged Switches

– Smart Switches

– Managed L2 and L3 Switches

Unmanaged Switches:

This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.

With some Unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power Over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.

Cisco 100 Series switches are good examples of this category.

Smart Switches (also known as Lightly Managed Switches):

This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.

The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts. Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.

Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.

They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.

In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.

Cisco 200 Series switches are good examples of this category.

Fully Managed L2 and L3 switches:

Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.

From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.

The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.

Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks. It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.

Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)

From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.

For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.

When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.

In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included.

What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.

Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.

Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.

Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:

– Speed

– Number of ports

– POE versus non-POE

– Stackable versus Standalone

Speed:

You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users – uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now (see the Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.

Number of ports:

Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers

POE versus non-POE:

Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic. One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.

Switches deliver power according to a few standards – IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.

To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.

Stackable versus Standalone:

As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.

In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch – there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface – i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.

Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point – can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.

There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.

Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.

As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.

From http://blogs.cisco.com/smallbusiness/understanding-the-different-types-of-ethernet-switches

More Related Cisco Network Switch Topics

Cisco Catalyst Switches for Campus Networks & Nexus Switches for Data Centers

Cisco Catalyst Switches for the Different Types of Campuses

About Cisco Catalyst Multigigabit Ethernet & Cisco Multigigabit Ethernet Switches

Layer-3 Switching or Layer-2 Switching?

Routers vs. Network Switches

Read more

Configuring the ASA as CA Server

January 18 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall, #Cisco & Cisco Network, #c

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

Do you know how to configure the ASA as CA Server? You know the Cisco ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.

The Cisco ASA only provides browser-based certificate enrollment.

Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.

We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.

Under the Crypto ca server mode, we have multiple options explained as follows:

CA Server configuration commands:

  • CDP-URL: Specifies the certificate revocation list distribution point to be included in the certificates issued by the CA.
  • Database: Specifies a path or location for the local CA database. The default location is flash memory.
  • Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
  • Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
  • Keysize: Configure the size of keypair to generate for certificate enrollments for the local CA server.
  • Lifetime CA-certificate: Specify the lifetime for the CA certificate.
  • Lifetime certificate: Specify the lifetime for the user certificate.
  • Lifetime CRL: Specify the lifetime for the CRL.
  • OTP expiration: Specify the lifetime for the OTP expiration.
  • Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
  • Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
  • SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
  • SMTP subject: Customize the email subject.
  • Subject-name-default: Specify an optional SUBJECT-NAME DN.

Basic ASA configuration as CA server

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

...

Equivalent CLI configuration.

ASA(config)# Crypto ca server

ASA(config-ca-server)# lifetime ca-certificate 100
ASA(config-ca-server)# lifetime certificate 30
ASA(config-ca-server)# smtp from-address admin@cisco.com
ASA(config-ca-server)# smtp subject Certificate enrollment
ASA(config-ca-server)# keysize 2048
ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl
ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US
ASA(config-ca-server)#
no shutdown

Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.

Show and debugs commands:

  • Debug crypto ca server
  • Show crypto ca server
  • Show crypto ca server cert-db

More information http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html

Original Guide From https://supportforums.cisco.com/document/12597006/how-configure-asa-ca-server

More Cisco and Network Guide

ASA Routed vs. Transparent

Cisco ACLs In and Out on Cisco ASA

Cisco ASA Failover, Failover Modes & ASA Failover Configuration

Cisco ASA IPS Module Configuration

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel

Read more

Discussion about the Cisco 6807-XL Slots

January 4 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Modules - Cisco Cables - Cisco Memory

Mechanical View of Cisco Catalyst 6807-XL

Mechanical View of Cisco Catalyst 6807-XL

We talked about the Cisco Transceiver Modules a lot before, such as the S-Class Optics vs. Non-S-Class Optics, the CVR-X2-SFP10G & CVR-X2-SFP10G=, and the Cisco 10GBASE X2 Module & SFP Compatibility.

These are all the popular questions asked by customers. Here in this article we will continue to share the Cisco 6807-XL Slots issue put forwarded by Cisco users. What did they discuss about that? Let’s see the details…

The Question: “I want to choose 6807-XL as a core switch in my project, but I have question! Can I use 6 cards as a module and 1 as SUP 2T or I must use 5 Slots for modules cards?? Because I need One SUP 2T and I want to use the rest of 6 slots for module cards, Can I do that?”

…The pinouts between the module slots and sup slots are different. So slots 5 and 6 are reserved for sups and can't be used with regular modules.

So is there any model more than 7 slots from 6800 series?

Another Question: “There is a difference between X2-10GB-SR= and SFP-10G-SR= because I want to replace the WS-X6816-10G-2T card with C6800-32P10G-XL which can carry 32 ports 10G with One card so I can save one slot! Can I do that?”

…The Cisco 6807 is the larger chassis you can get on the 6800 series. As for 16 port 10Gig vs. 32 port 10Gig, you can defiantly use the 32 port 10gig module to solve the issue if not having enough slots for all your 10Gig interfaces. Also, you can enable VSS on the 6800 series to give you the redundancy you need without using HSRP/VRRP, etc...

“And but 16port 10Gig uses Pluggable transceivers X2-10GB-SR= and 32port 10Gig uses Pluggable transceivers SFP-10G-SR=?! Is there any difference between them? Or both them the same!”

You need the 16 port 10Gig SFP+ or the 32 port 10Gig SFP+

See this link for part numbers and descriptions:

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800-series-switches/datasheet-c78-733662.html

Two models:

C6800-16P10G, a 16-port 10-Gigabit Ethernet Fiber Module with DFC4, and C6800-16P10G-XL, a16-port 10-Gigabit Ethernet Fiber Module with DFC4XL

C6800-32P10G, a 32-port 10-Gigabit Ethernet Fiber Module with DFC4, and C6800-32P10G-XL, a 32-port 10-Gigabit Ethernet Fiber Module with DFC4XL

The difference between WS-X6816-10G-2T card and C6800-32P10G-XL?

X2 and SFP are different form factors. On some of these, you CAN get a twinGig adapter to convert an X2 into multiple SFP ports, but I don't think these can be 10G SFP+ (although it may be possible on the newer modules).

There shouldn't be a performance difference between SFP+ or X2. However, check the capability of the line card / chassis backplane - if you have 16 10G ports, make sure the line card plugged into supports what you expect. Remember, if all ports are 10G running flat out, your total backplane for that line card is 160G, unless it's between servers in the same VLAN connected to the same blade.

The original discussion from https://supportforums.cisco.com/discussion/12736701/6807-xl-slots-issue

What’s your opinion about the Cisco 6807-XL Slots issue? Welcome to share with us here…

…More Related

The New 32-port 10-Gb Line Cards on Catalyst 6800 &6500-E Series

About Cisco Catalyst Multigigabit Ethernet & Cisco Multigigabit Ethernet Switches

The Time of Multigigabit, Cisco’ s New Campus LAN Switches

The Questions about the Cisco 10GBASE X2 Module & SFP Compatibility

Cisco 10GBASE SFP+ Modules Overview

Cisco XFP vs. SFP vs. SFP+

About Transceiver & Cisco Transceiver Modules

Read more

About Cisco ASR 9000 Series & vDDoS Protection Solution

December 15 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Cisco ASR 9000 Series & vDDoS Protection Solution...More Benefits

Cisco ASR 9000 Series & vDDoS Protection Solution...More Benefits

Cisco ASR 9000 vDDoS Defends Against Various Types of DDoS Attacks

Cisco ASR 9000 vDDoS Defends Against Various Types of DDoS Attacks

Aggregation Services Router (ASR) offers the industry’s highest density Carrier Ethernet system, with superior edge and aggregation performance.

The Cisco ASR 9000 series routers are the cornerstone of modern Edge and Carrier Ethernet networks.

Network traffic surges. Links saturate. Systems overload. Customer complaints flood the call centers. What’s going on? One possibility is a distributed denial-of-service (DDoS) attack.

Cisco ASR 9000 virtual DDoS (vDDoS) protection defends your network against DDoS attacks by embedding Arbor Networks DDoS detection and mitigation technology into your Cisco network. You can automatically mitigate all types of DDoS attacks against your network or your customers’ networks. The solution protects your network against different types of DDoS attacks—such as volumetric, state exhaustion, and application layer attacks—helping to ensure its continued availability.

And you can also use the capability to provide DDoS protection services to your customers to increase your revenue and retain customers.

The ASR 9000 powers a virtual Peakflow Threat Management System on its Virtualized Services Module (VSM), so you can deliver DDoS protection services to market fast.

Benefits

• Add distributed denial of service (DDoS) protection to Cisco ASR 9000 deployments with no extra rack space, power, or cooling requirements.

• Combine existing Arbor Threat Management System appliances with comprehensive vDDoS protection.

• Distribute DDoS protection to the network edge to avoid backhauling traffic across backbones to regional scrubbing centers.

• Deliver DDoS protection services faster on the ASR’s Virtualized Service Module (VSM).

• Mitigate attacks using Peakflow workflows to protect your availability and manage your Peakflow and vDDoS protection deployments.

Detection at the Edge

The ASR 9000 vDDoS protection solution unleashes the power of the Cisco ASR 9000 to stop DDoS attacks at the network edge. All before attacks can pass into your network and your customers’, consume critical bandwidth, and cause collateral damage. Normal traffic passes uninterrupted.

This approach eliminates the need to route attack traffic across your backbone to centralized scrubbing centers for cleansing. And it keeps your network edge from getting congested.

Unlike other DDoS solutions, Cisco ASR 9000 vDDoS protection is a virtualized, network-embedded DDoS solution. Detection and centralized management take place through the Arbor Networks Peakflow GUI and its workflows.

Increase the ROI of your existing Cisco ASR 9000 router deployment with virtual DDoS protection – of your own network and that of your customers in the form of new services – without needing any additional rack space, power, or cooling.

What You Buy

● Cisco ASR 9000 Series router (models: ASR 9006 Router, ASR 9010 Router, ASR 9912 Router, or ASR 9922 Router)

● Cisco ASR 9000 Series VSM

● Cisco ASR 9000 vDDoS Protection

● Arbor Networks Peakflow

● Support for all components

● Installation

● Arbor Networks AIF subscription

Key Capabilities

● DDoS attack detection in as little as one second

● Up to 40 Gbps of mitigation through the ASR 9000 Series VSM

● Up to tens of terabytes per second of blacklisting

● Deployments scale for Tier 1 service provider networks

● Multitenant customer portal

…If you want to read more about the Cisco ASR 9000 vDDoS Protection Solution, such as DDoS Detection and Mitigation-How it works, models and Options available, you can refer to the Cisco’s page:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/solution-overview-c22-736143.html

More Cisco Router Topics…

New Cisco NCS Router Line—Compare Features

The New Cisco ASR 1001-X Router

Compare Cisco Products and Solutions

Read more

Cisco 800 Series Integrated Services Routers, New…

December 2 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Small-Office Routers That Deliver Big Performance

Small-Office Routers That Deliver Big Performance

Use Cases and WAN Speeds: Cisco 800 Series ISRs

Use Cases and WAN Speeds: Cisco 800 Series ISRs

Cisco 800 Series Integrated Services Routers--Benefits

Cisco 800 Series Integrated Services Routers--Benefits

Need an affordable router? Never give up important network services? Which router will fit you? Uh, if you need an affordable router but don’t want to give up important network services such as security, you can take a look at the Cisco 800 Series Integrated Services Routers. These Cisco ISRs deliver the secure, reliable WAN connectivity your small offices and remote workers need.

Whether you need built-in voice, wireless, WAN optimization, or machine-to-machine communications, there’s an 800 Series router that’s cost-optimized for your requirement.

Different models in the series support different connection types to serve the specific needs of your small office. That could be xDSL, Wi-Fi, 4G LTE, Ethernet, fiber, or something else. You choose the models that best serve your situation.

Cisco 800 Series Integrated Services Routers--Benefits

• Get full-service branch routing at the right price

• Choose from a variety of wired, wireless, and cabled WAN connection types

• Set up and manage your small-office router in minutes

• Get software features consistent with your Cisco routers in other network segments

• Balance affordability with enterprise-grade security and reliability

All-in-One Platform

Routing, switching, wireless, and intelligent IP network services are all bundled into one compact form factor that’s quick to install using the Cisco Configuration Professional Express tool. So you get lots of functionality with a single hardware investment. That also means there’s only one device per site to manage. And you can manage all of them centrally, if you like, from a data center with Cisco Prime Infrastructure and LiveAction applications.

The 800 ISRs provide comprehensive security–encryption, VPN, firewall, and cloud-based URL filtering–to help you safeguard your customers and data.

From http://www.cisco.com/c/dam/en/us/products/collateral/routers/800-series-routers/at-a-glance-c45-735760.pdf

More Related…

EoS and EoL Announcement for the Select Cisco 888 ISR and Select WAN/LAN Modules and Cables for ISR G1

EoS and EoL Announcement for Cisco 857 ADSL Router

Why Upgrade to the New Cisco 860VAE ISRs?

Cisco’s IoT Part-The IR809, Cisco’s Smallest Multimode 3G and 4G LTE Wireless Router

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

Read more

Cisco Mobility Express Solution for K-12

November 18 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Deploy and Manage Your School’s Wi-Fi Network in a Snap

Deploy and Manage Your School’s Wi-Fi Network in a Snap

What does the Cisco Mobility Express Solution can do for you? It sounds good that Cisco Mobility Express Solution can easily help you deploy a wireless network with all Cisco advanced wireless innovations, using a simple, over-the-air configuration interface.

Nowadays, at your school, students might be using digital textbooks. And you might be required to provide a tablet or laptop for every student. Network connections will probably be wireless for the flexibility to use devices from anywhere on campus. Faculty and administrative personnel, too, rely on wireless networking for internal communications that are part of their jobs.

If your IT staff is tiny or nonexistent, how can you deploy and manage the wireless network? Especially if there are multiple schools scattered throughout the district to cover?

Cisco Mobility Express Solution targets just such situations. Mobility Express is built into Cisco Aironet 1850 and 1830 Series Access Points, which support 802.11ac Wave 2. Wave 2 is the very latest Wi-Fi standard, supporting gigabit speeds and protecting your Wi-Fi access point investment into the future.

Benefits

  • Ideal for schools needing up to 25 Wi-Fi access points
  • Supports Cisco’s industry-leading features with no price premium
  • Non-IT personnel can set up the wireless network in less than 10 minutes
  • Three-step, wizard-based setup means no command lines to learn
  • Delivers 802.11ac Wave 2, the latest and fastest wireless LAN technology on the market
  • Bundles virtual WLAN controller management capabilities into the AP at no extra cost
  • Cisco Connected Mobile Experience (CMX) can be added to boost customer engagement and give you presence-based analytics

Be Prepared for Wave 2 Client Devices--New 802.11ac Wave 2 client devices will soon appear on your network as students, faculty, and staff upgrade their smartphones and tablets.

Installing a Wave 2 Wi-Fi access point prepares you to deliver the most robust performance possible to them from day one. Turn to Cisco, a leader in helping advance the 802.11ac specifications, to help you stay ahead of the growing Wi-Fi traffic volumes that the new devices will generate.

1, 2, 3, and You’re Up

Supported on the Cisco Aironet 1850 and 1830 Series Access Points, the Mobility Express Solution lets you deploy your wireless LAN in less than 10 minutes. You can simultaneosly configure multiple Aironet access points with industry best-practice settings already enabled by default. Follow just three steps to configure your network:

  1. Connect to an 1850 or 1830 access point using any wireless device
  2. Use the Cisco WLAN Express Setup Wizard to configure multiple access points simultaneously. Your wireless network can contain a mix of Cisco Aironet 1850, 1830, 1600, 2600, 3600, 1700, 2700 and 3700 Series Access Points. You just need an 1850 or 1830 for the control function.
  3. Access the management dashboard – available via a browser or a mobile app – to operate, monitor, and troubleshoot your network.

When you want to access your Mobility Express dashboard from your mobile device, use the Cisco Wireless app, available at the Google Play Store and Apple App Store.

Built-In Management

Using a virtual wireless LAN controller built right into the Cisco Aironet 1850 and 1830 access points, you can manage all your access points from a central console. You can easily manage up to 25 APs and 500 clients for each Mobility Express virtual controller you deploy. That means if you are a smaller venue, you can now deliver the same quality user experiences as large enterprises. There’s no price premium, and you don’t have to understand command-line interfaces.

There’s no longer the burden of having to manage autonomous APs one at a time, and no need to invest in a separate WLAN controller appliance for management.

To learn more about Cisco Mobility Express Solution, Cisco Aironet 1850 and 1830 Series Access Points, and 802.11ac Wave 2, visit: http://www.cisco.com/go/mobilityexpress.

Original from http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/mobility-express/at-a-glance-c45-734261.pdf

More Related…

Cisco Mobility Express Solution Release Notes

What’s the Cisco Mobility Express Solution and Can DO…

What a Cisco Mobility Express Bundle!

Read more

IPv6 Feature Support on the Cisco ASA Firewall

November 12 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Technology - IT News, #Cisco Switches - Cisco Firewall

It is well known that Cisco ASA series supports IPv6 and it can be setup very easily and quickly. In the following part it focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity.

BASIC CONFIGURATION

Step 1

In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface

Step 1.1.

Configure the interface to generate a link local address from its MAC address.

interface GigabitEthernet 0/0

no shutdown

nameif inside

ipv6 enable

When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).

Step 1.2.

Configure a link local address manually.

interface GigabitEthernet 0/0

no shutdown

nameif inside

ipv6 address <ipv6-address> link-local

Using the above command you can assign a link local address to the interface manually.

You can verify the link local address by executing the “show ipv6 interface” command.

Step 2

Next we have to assign the global address to the interface. There are 2 ways of doing this.

Step 2.1.

You can manually assign a global IPv6 address to the interface.

interface GigabitEthernet 0/0

ipv6 address 2001::db8:2:3::1/64

With the IPv6 address command above, you are manually specifying the global IPv6 address for the interface. You can specify more than one IPv6 addresses for the interface using the command.

Step 2.2.

You can configure the interface to obtain the address automatically using stateless address autoconfiguration.

interface GigabitEthernet 0/0

ipv6 address autoconfig

Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.

NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.

Step 3

Verify IPv6 configuration.

Example:

show ipv6 interface


inside is up, line protocol is up

IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2

Global unicast address(es):

2001:db8:2:3::1, subnet is 2001:db8:2:3::/64

Joined group address(es):

ff02::1:ff00:1

ff02::1:ff84:eb2

ff02::2

ff02::1

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 1000 milliseconds

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses.

Step 4 (Optional)

Suppress Router Advertisement messages on an interface.

By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).

Enter the following command to suppress Router Advertisement messages on an interface:

ipv6 nd suppress-ra

Neighbor discovery will continue to be operational even though RA suppression has been configured.

Step 5

Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivalent to “any”. The IPv6 route command is functionally similar to the IPv4 route.

Step 6

Define access-lists.

Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.

Example:

access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d

access-group test in interface outside

The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.

SECURING THE FIREWALL

If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.

access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface GigabitEthernet 0/0

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.

Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA

The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.

Stateful dynamic address assignment

For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.

To configure the DHCPv6 relay agent the following configuration is needed:

ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701

ipv6 dhcprelay enable inside

The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.

Stateless dynamic address assignment

In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.

IPv6 Prefix delegation

ASA does not support IPv6 prefix delegation yet. If the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode.

The following must be configured on the ASA:

firewall transparent

interface BVI1

no ip address

ipv6 enable


interface GigabitEthernet0/0

nameif outside

bridge-group 1

security-level 0


interface GigabitEthernet0/1

nameif inside

bridge-group 1

security-level 100


access-list permit_icmp6 extended permit icmp6 any6 any6

access-group permit_icmp6 global

This example uses a link-local IPv6 address on the BVI interface. You can also configure an explicit IPv6 address for in-band management purposes.

The original article was shared from https://supportforums.cisco.com/document/61451/cisco-asa-ipv6-quick-start

More Cisco Firewall & Network Security Topics you can read here...http://blog.router-switch.com/category/reviews/cisco-firewalls-security/

Read more

The Cisco 3850-Standalone- IOS XE Upgrade…Details…

November 6 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches-Software

New Cisco Catalyst 3850 Switches

New Cisco Catalyst 3850 Switches

There are 2 methods of booting and running IOS XE software in 3850 switch/stack.

By default, the switches are shipped in Install mode.

Bundle mode: Bundle mode is where we boot the switch/stack using the .bin file. This is the traditional method of booting the switch where the switch extracts the .bin file to the RAM of the switch and run from there.

Install Mode: Install mode is where we pre-extract the .bin file in the flash and boot the witch/stack using the packages.conf file created during the extraction.

Note:

Install mode is the recommended mode of running the switch. Not all features may be available in this Bundle mode

IOS XE installation and software rollback are supported only when the switch is running in “Install” mode. (i.e.: The commands “software install” and “software rollback”.)

Use “software expand” command to convert the switch into Install mode from Bundle mode. The steps are mentioned below.

Upgrading a stand-alone switch:

The packages and provisioning file used to boot in installed mode must reside in the flash.

Booting in installed mode from usbflash0: or TFTP is not supported.

Booting a bundle in bundle mode is just like booting a monolithic IOS image.

For example: boot flash:cat3k_caa-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin

Hence, the boot variable should not be pointing to the .bin file. If so, the switch will boot in Bundle mode. The boot variable should be pointing to the “packages.conf” file in order for the switch to boot in Install mode.

Before doing the upgrade, we need to check the mode in which the switch is currently booted in.

C3850#show version | begin Switch Port

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL •ß Install mode

Upgrading from Install mode:

By default, switches are shipped in Install mode.

In order to upgrade the switch from Install mode, please follow the below-mentioned procedure.

  • •1. Download the new image from the TFTP server to the flash / USB on the switch. (optional)

Copy tftp: flash:

(or)

Copy tftp: usbflash0:

  • •2. Use the command “software install” to install the newly downloaded image (or) the image present in the network.

C3850-01#software install file <source>:<filename.bin> new

The “new” keyword is used so that that the post-install package set should contain only the packages being installed. The old packages file will be renamed for future rollback purpose. Without this option, the post-install package set is a merged set of the currently installed software and the new packages being installed.

The source can be

  • flash: or usbflash0: (or a sub-directory of these)
  • The network via tftp, ftp or http

NOTE: When performing ‘software install’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM on switch. The source bundle is deleted from RAM when the operation completes.

Refer to the configuration guide to know about the other optional parameters of this command,

Example:

C3850#dir flash:

Directory of flash:/

<<snippet>>

29511 -rwx 220716072 Oct 15 2012 12:57:59 +00:00 cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin

C3850#software install file flash:cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin

<<snippet>>

[1 ]: Creating pending provisioning file

[1 ]: Finished installing software. New software will load on reboot.

[1 ]: Committing provisioning file

[1 ]: Do you want to proceed with reload? [yes/no]: n

C3850#

Once the installation is completed, reload the switch and it will boot into the newly installed IOS XE image.

From Bundle mode:

If the switch is currently running in “Bundle” mode, then we need to use the “software expand” command to convert the switch into the Install mode first and then install the new IOS XE.

The ‘software expand’ exec command is used to extract the package files and the provisioning file (packages.conf) from a source bundle (possibly the running bundle) and copy them to the specified destination directory in a local storage device.

This command will typically be used to convert from the bundle running mode to the installed running mode.

NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in local storage, the source bundle is first copied to the corresponding local storage device on the switch. The source bundle used for the expand operation is left intact after it is expanded.

NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM of the switch. The source bundle is deleted from RAM on the switch when the operation completes.

This example uses the following steps to prepare a switch for booting in installed mode, i.e., booting a package provisioning file (packages.conf)

  1. Boot in bundle mode using ‘boot flash:<bundle name>’

Can also boot from usbflash0: or via tftp

  1. Use the ‘software clean file flash:’ command to remove any unused package, bundle and provisioning files from flash:
  2. Use the ‘software expand running to flash:’ command to expand the running bundle to flash:
  3. Reload the switch
  4. Boot the installed packages using ‘boot flash:packages.conf’

Software Rollback:

The 'software rollback' exec command can be used to revert to a previous version of the installed software package set (i.e., an older packages.conf file)

This functionality relies on the existence of one or more 'rollback provisioning files’ in flash:, along with all of the .pkg files listed in the rollback provisioning file(s)

  • The rollback provisioning files are visible in flash: as packages.conf.00-, packages.conf.01-, etc.
  • packages.conf.00- is a snapshot of the packages.conf file as it looked prior to the last installation operation
  • packages.conf.01- is a snapshot of the packages.conf file as it looked two installations ago
  • And so on

When the 'software rollback' command is used, packages.conf.00- becomes packages.conf. packages.conf.01- becomes packages.conf.00-. And so on

Note: If the 'software clean' command is used, future attempts to do a software rollback are likely to fail

More Related…

Cisco Catalyst 3850 Switch Stacking Tips

Cisco Catalyst 3850 Models Comparison

Read more

How to Verify Cisco Switch Network Status and Operational State?

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the last article we talked the “Nine Switch Commands Every Cisco Network Engineer Needs to Know”. For Cisco or many other vendors, new commands are introduced at each progressive level of system verification. Do you know what commands you should use to verify a network switch’s status and operation? In this article we will look at five essential commands that are used to verify a network switch’s status and operation. They are:

  • ping
  • traceroute
  • telnet
  • ssh
  • show cdp neighbors

ping

Available on almost all operating system platforms, including Cisco IOS, the ping command is used to verify the reachability of a targeted device. It does this by sending an Internet Control Message Protocol (ICMP) echo message to the target; if the target receives the message (and is not configured to drop it), it responds to the initial sender with an ICMP echo-reply message. In a perfect world, with no firewalls, and all devices configured to respond to these messages, the ping command would work perfectly. However, many devices (or devices en route, like firewalls) are purposely configured to ignore ICMP echo messages automatically, in order to hide their existence and avoid being targeted by attackers. In these cases, engineers must decide whether the unsuccessful ping is a real problem or a purposeful part of a network’s design.

TIP: As a general rule, don’t worry about devices that are outside your organization’s control.

Cisco IOS also has an extended version of the ping command that allows for more complex command configurations. For example, an engineer has the ability to control the source IP used (which makes sense when being run from a router configured with multiple IP addresses), the size of the messages being sent, and the content of the messages, among other options.

traceroute

The traceroute command is typically used along with the ping command to further determine the reachability of a destination. traceroute works a bit differently from ping; instead of simply sending a message to the destination directly, it aims to find the path from the source to the target destination. It does this by using either ICMP echo messages on Windows or the User Datagram Protocol (UDP) probe messages on Linux and Cisco IOS. It figures out the path by taking advantage of the IP Time to Live (TTL) field.

It’s important to understand what the TTL field does. In normal circumstances, the TTL is used as a loop-prevention mechanism; it works by being set to a number which is then decremented at every respective IP “’hop.” If the TTL reaches a device and is decremented to 0, the packet is dropped and an ICMP “destination unreachable” message is sent back to the source device. When used by the traceroute command, the TTL finds each of the hops in the path between the source and the destination:

  1. Initially the source sends an ICMP or UDP message to the destination with a TTL of1.
  2. When the packet reaches the first hop, the TTL is decremented to 0; the device drops the packet and sends back an ICMP “destination unreachable” message.
  3. To find the second hop, the TTL is set to 2, for the third hop it’s set to 3, and so on; typically three packets are sent for each step toward the destination (three with a TTL set to 1, three with a TTL set to 2, and so on).
  4. These ICMP “destination unreachable” messages are received by the runningtraceroute command and interpreted into a readable output showing the path toward the destination.

As with the ping command, many organizations block the ICMP echo messages and some of the UDP messages; and the output should be read with this fact in mind.

The traceroute command on Cisco IOS is extended in the same way as the ping command variant that allows for extended command configurations. The options offered by traceroutemirror most of the options available in an extended ping.

telnet

The telnet command has been around for a long time, allowing users to manage devices via a command-line interface. Its very simple operation provides an unsecured Transmission Control Protocol (TCP) session between the source and destination. Characters entered on the source are immediately relayed to the destination, providing an experience on Cisco IOS (and Linux) that is the same as if the user were directly connected into the device locally.

CAUTION

A key term to take from this description is unsecured, the username and login information are sent between the source and destination in clear text.

The telnet command uses TCP port 23.

ssh

The ssh (secure shell) command works similarly to the telnet command but creates a secure communications channel between source and destination. This means that the username and password are not sent in clear text and are protected (at least to some level) from anyone listening in on the conversation.

The ssh command uses TCP port 22.

show cdp neighbors

The show cdp neighbors command is used on a Cisco IOS device to view neighboring devices discovered by the Cisco Discovery Protocol (CDP). CDP is a Cisco proprietary protocol used for Layer 2 discovery; it has the ability to discover all other supporting CDP devices on a shared segment. (It doesn’t work across Layer 3 devices.) The following example shows some typical output of this command:

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

R2               Fas 0/0            172              R    7206VXR   Fas 0/0

R1#

In this example, we learn that the remote device (R2) is connected via R1’s FastEthernet0/0 interface and is connected to R2’s FastEthernet0/0 interface, and R2 is a Cisco 7206VXR router. This information is very helpful when mapping out unfamiliar networks. It can also be used to help ensure that a device is connected to the correct remote device(s) on the correct interface; as engineers often must configure devices remotely, this command is useful when installing new equipment, to ensure that physical interfaces are connected to the appropriate networks.

Keep in mind that CDP is a proprietary protocol and will not work to discover most other non-Cisco devices; this command is enabled by default on Cisco devices. A standards-based alternative to CDP is the Link Layer Discovery Protocol (LLDP)—IEEE 802.1AB, which is supported by many other vendors, but is not enabled by default on Cisco devices.

Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420613

More Related

Nine Switch Commands Every Cisco Network Engineer Needs to Know

Read more

Nine Switch Commands Every Cisco Network Engineer Needs to Know

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

It’s no doubt that a Cisco network engineers needs experience with a wide variety of commands used with network technology. And at the Cisco Certified Network Associate (CCNA) level, Cisco has indicated a number of commands that should be known initially for Cisco network switches.

In this article it covers these commands, explaining what the Cisco Network Engineer do and how they alter the behavior and/or use of a Cisco switch.

Some terms you need read with examples

#1: hostname hostname

One of the most basic network commands, hostname configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-).

#2: ip default-gateway gateway

The ip default-gateway command configures the default gateway for a switch when IP routing is not enabled (with the ip routing global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the show ip route command. When IP routing has not been enabled, the output will look similar to the following example:

SW1#show ip route

Default gateway is 10.10.10.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

SW1#

When IP routing is enabled, the output looks similar to the output displayed on a router:

SW1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.10.0/24 is directly connected, Vlan1

L        10.10.10.10/32 is directly connected, Vlan1

SW1#

NOTE: The configuration entered with the ip default-gateway command has no effect when IP routing is enabled.

#3: username username {password | secret} password

The username command configures a username and associates a password with it. Using the password or secret version of this command is a matter of security:

  • The password version of this command will do one of two things with the configured password:
    • Place the password into the configuration in plaintext (if the service password-encryption command is not enabled).
    • Put the password through a Cisco-proprietary encryption algorithm before placing it into the configuration. (Note that this encryption is easily reversed.)
  • The secret version of this command will create an MD5 hash with the configured password and then place it into the configuration. This reconfigured password is much harder to crack than the encrypted version created with the password version of this command.

This username/password can be used for a number of different features, including Telnet and SSH.

#4: enable {password | secret} password

The enable command configures the password that will be used to access a switch's privileged configuration mode. Because all configuration of a Cisco IOS switch requires privileged configuration mode, keeping this password private is very important. As with the username command, this command has two options: password and secret. The differences between these two options are the same as those for the username command in the preceding section. The enable secret version of the command should be used in all production environments.

Console and Terminal Login Commands

Five commands are used to configure login via the control and virtual terminal (VTY) lines of a switch:

  • password
  • login
  • exec-timeout
  • service password-encryption
  • copy running-config startup-config

The following sections describe these individual commands.

Password password

When entered in line-configuration mode (console or terminal), the password command is used to configure the password that will be used to access a switch from that specific line, depending on the line mode (console or terminal). However, the password configured with this command is used only if the login command is used (which is the default).

Login [local]

The login command is used to enable password checking on an interface. If this command is used without any parameters, the system will check the password entered with the login against the one entered with the password command discussed in the preceding section. If used with the local parameter, both username and password will be prompted, and the entries will then be checked against the local username database that was created with theusername command discussed previously.

Exec-timeout minutes [seconds]

The exec-timeout command is used to configure the amount of time that can pass before a device considers the connection idle and disconnects. By default, timeout is set to 10 minutes. This timeout can be disabled with the no exec-timeout command. (This command is a shortcut and actually enters the exec-timeout 0 0 command into the configuration.)

Service password-encryption

The service password-encryption command is used to enable the encryption of configured passwords on a device. The passwords referenced with this command are the ones configured with a command's password parameter, such as username password and enablepassword. The passwords encrypted with this command are not highly encrypted and can be broken relatively easily. By and large this command is deprecated, as most network engineers will use the secret version of the appropriate commands; however, even weak protection is better than nothing.

Copy running-config startup-config

The copy running-config startup-config command (popularly shortened to copy run start) is one of the most fundamental commands learned by new Cisco network engineers. It copies the active configuration (running-config) on a device to non-volatile memory (NVRAM)(startup-config), which maintains a configuration across a reload. Without this command, a configuration can be lost when a device is reloaded or powered off. The copy command can also be extended to save configuration and IOS images to and from a local device, as well as to and from different locations on the local device.

Network engineers must learn many Cisco OS commands in the process of becoming a CCNA (and beyond), and understanding these basic management commands is where the process starts. Without the knowledge of how to access devices, the complex commands are useless. You must understand when learning these concepts that they are intended to be stacked on top of each other. Lack of knowledge of a few base concepts undermines learning other, more advanced concepts that build on top of those basics.

The Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420612

Read more
1 2 3 4 5 6 7 8 9 10 20 30 40 > >>