Monday, September 12, 2011

How to configure a new Cisco router or switch


Environment: Cisco 2960G switch 48ports
Objective: Configuring it as a managable switch and use port 48 as monitoring port for SNORT server use.

Steps:

1. Use Putty to specify COM1 to connect to switch console, then power on the switch.
2. waiting  for the switch startup, it takes some time.
3. follow the default configuration wizard
4. specify vlan1 as management port, to specify IP address etc
5. specify ssh username and password

username root secret yourpassword

6. configuring the rest
no enable password
no ip domain-lookup

ip domain-name yourdomain.com
crypto key generate rsa (then give 1024)
note: above 2 lines are for enabling ssh server function

clock timezone SGT 8 (not in conf t prompt)
service password-encryption

no ip http server
no ip http secure-server
snmp-server community public RO
line con 0
line vty 0 4
  login local
  transport input ssh
line vty 5 15
  login local  (using local authentication, not remote authentication server)
  transport input ssh  (only accept ssh incoming connection)

7. configuring monitoring information
monitor session source vlan 1
monitor session 1 destination interface GigabitEthernet0/48

8. configuring ntp servers
ntp server 1.2.3.4

note: if you don't set the ntp server, after router's power is off and power it on again, it will lose clock information. If there's ntp server available, it will get the correct time from NTP server immediately after power on

9. setting clock
clock set 14:28:00 20 OCT 2009 (in conf t prompt)

10. save
wr

11. disable logging message
no logging console
no logging monitor  (This command disables logging for terminal lines other than the system console)
logging buffered 16384
logging trap notifications  (This command provides notification (level 5) messaging to the specified syslog server. The default logging level for all devices (console, monitor, buffer, and traps) is debugging (level 7). Leaving the trap logging level at 7 produces many extraneous messages that are of little or no concern to the health of the network. It is recommended that the default logging level for traps be set to 5. )

note:
You can synchronise the logging messages with your command prompt as follows:

Router(config)# line con 0
Router(config-line)# logging synchronous
Router(config)# line aux 0
Router(config-line)# logging synchronous
Router(config)# line vty 0 4
Router(config-line)# logging synchronous


12. some other useful commands
show clock
show monitor
show ssh
show line

hostname 48PortCiscoSwitch
ip name-server 1.1.1.1

13. the example of configuration
-----------------------------
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec

service password-encryption
!
hostname 48PortCiscoSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7zZ5$91N7FPR68YbLyRO4NE3jr/
!
username root secret 5 $1$2IEN$wmDzCnXsatjHtaPMrss4e.
no aaa new-model
clock timezone SGT 8
system mtu routing 1500
ip subnet-zero
!
no ip domain-lookup
ip domain-name jephe.com
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
.......
interface GigabitEthernet0/48
!
interface Vlan1
 ip address 10.0.0.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
snmp-server community public RO
!
control-plane
!
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 logging synchronous
 login local
 transport input ssh
!
!
monitor session 1 source vlan 1
monitor session 1 destination interface Gi0/48
ntp server 10.0.0.1

end
----------------------------

Appendix:
 Cisco routers/Switches have two privilege levels:
  • User EXEC mode—privilege level 1
  • Privileged EXEC mode—privilege level 15
When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
Because of these limitations, most Cisco router users immediately type enable to get out of user EXEC mode. By default, typing enable takes you to level 15, privileged EXEC mode. In the Cisco IOS, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows. In other words, you have full access to the router.
For networks maintained by just a few people, everyone typically has the password to get to privileged mode

Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.

The Cisco IOS comes with 2 predefined user levels.
User EXEC mode runs at privilege level 1 and “enabled” mode (privileged EXEC mode)runs at level 15.