∙Privileged EXEC mode—The Privileged command set includes those commands contained in User EXEC mode, as well as the configure command, through which you can access the remaining command modes. Privileged EXEC mode also includes high−level testing commands, such as debug.
∙Global Configuration mode—Global Configuration mode commands apply to features that affect the system as a whole. Use the configure privileged EXEC command to enter Global Configuration mode.
∙Interface Configuration mode—Many features are enabled on a per−interface basis. Interface Configuration commands modify the operation of an interface such as an Ethernet port or a VLAN.
Configuring Passwords
Passwords can be configured on every access method to a Cisco Catalyst switch. Passwords can be applied to the console port, auxiliary (AUX) port, and VTY lines.
Limiting Telnet Access
VTY access can be secured with a password. However, when a careless administrator walks away from a logged−in Telnet session, the door is open with full access to the entire network. This situation allows anyone with access to the terminal the administrator was using to make changes and attack the network.
A solution is to add another layer of security. You can do this by applying a time−out condition to unused VTY sessions. The Cisco IOSs calculate unused sessions in seconds or minutes, depending on the IOS version. Should the session not receive a character input from the administrator’s session for the configured amount of time, the session is closed, and the administrator using the session is logged out.
Implementing Privilege Levels
Privilege levels can be assigned to limit switch users’ ability to perform certain commands or types of commands. You can configure two types of levels in the IOS: user levels and privilege levels. A user level allows a user to perform a subset of commands that does not allow for configuration changes or debug functions. A privilege level, on the other hand, allows the user to use all the available commands, including configuration change commands.
You can assign a user 16 different levels, from level 0 to level 15. Level 1 is set to User EXEC Mode by default. This level gives the user very limited access, primarily to show commands. Level 15 defaults to Privileged EXEC mode, which gives the user full access to all configuration commands in the IOS (including the debug command).
Privilege level 0 is a special level that allows the user to use a more specific defined set of commands. As an example, you could allow a certain user to use only the show arp command. This command is useful when a third party is using a sniffer on your network and needs to match a MAC address to an IP address and vice versa.
Configuring an IOS−Based CLI Switch
In this section, we will walk through the basic configuration of the IOS−based CLI switches. Although these tasks are not all mandatory, knowing them will help you to better manage your switches.
39
Setting the Login Passwords
By default, Cisco switches have no passwords configured when they are shipped. On the Cisco IOS−based switches, different priority levels of authority are available for console access. You can define two levels on IOS−based switches: privilege level 1, which is equivalent to User EXEC mode; and privilege level 15, which is equivalent to Privileged EXEC mode. Use the following commands to set the two levels’ passwords (the password for level 1 will be noaccess, and the password for level 15 will be noone):
Switch> enable
Switch# Configure terminal
Switch (config) enable password level 1 noaccess
Switch (config) enable password level 15 noone
Related solutions: |
Found on page: |
Creating a Standard Access List |
402 |
Creating an Extended Access List |
403 |
Enabling Port Security |
411 |
Setting Privilege Levels
Using the privilege level command allows you to assign a better−defined set of commands for a selected user. Let’s walk through how to do this:
1.Select a user and associate that user with a privilege level. In this example I will use myself and the login name SeanO. I’ll assign myself a privilege level of 3. To do this, use the following command in Global Configuration Mode:
5000RSM(config)# privilege configure level 3 seano 5000RSM(config)#
2.You should assign an enable password for each configured privilege level. To assign the password a privilege level of 3, use the following command:
5000RSM(config)# enable secret level 3 sean1
3. To get into the switch, I will now use the following command:
5000RSM(config)# username seano password sean1
Assigning Allowable Commands
To allow a user to use only certain show commands, but give him no access to debug or configuration commands, use the following command:
5000RSM(config)# privilege exec level 3 show 5000RSM(config)#
To allow users with privilege level 3 a specific command syntax for debug, such as debug ip, use the following command:
5000RSM1(config)# privilege exec level 3 debug ip 5000RSM1(config)#
Note Privilege level 0 includes five commands: disable, enable, exit, help, and logout.
Setting the Console Port Time−out Value
To configure a time−out value for IOS−based Cisco switches, use the following command:
CAT2924XL(config)# line console
CAT2924XL(config)# time−out 300
40
The time−out value is now set to five minutes, using seconds.
Tip |
You can use the lock command to lock an unused Telnet session. After you issue the lock |
|
command, the system will ask you to enter and verify an unlocking password. |
To configure a Set/Clear command−based switch to five minutes, use the following command:
CAT5009(enable) set logout 5
To configure the time−out value to five minutes on the console port of an IOS−based route processor or router, use the following command:
5000RSM(config)# line console 0 5000RSM(config−line)# exec−timeout 5
Configuring the Telnet Time−out Value
To configure the time−out value to five minutes on the VTY port of an IOS−based route processor or router, use the following command:
5000RSM(config)# line vty 0 4 5000RSM(config−line)# exec−timeout 5
Tip To configure seconds beyond a minute, you can add an additional value to the command. For example, if you want the exec−timeout to be 5 minutes and 10 seconds, the command is exec−timeout 5 10.
Configuring the Hostname
On a Cisco IOS−based switch, configure the hostname using the following command in Global Configuration mode:
Switch (config) hostname CORIOLIS8500
CORIOLIS8500>
Configuring the Date and Time
To set the system clock on an IOS−based switch and to put it in the PST time zone, use the following command:
CORIOLIS8500(config) clock set 22:09:00 08 Oct 00
CORIOLIS8500(config) clock timezone PST −8
Configuring an IP Address and Netmask
To configure an IP address on a Cisco IOS−based switch, enter the following commands in Global Configuration mode (the IP address being used is 68.187.127.254 and the subnet mask is 255.255.0.0):
CORIOLIS8500(config) interface vlan 1
CORIOLIS8500(config−int) ip address 68.187.127.254 255.255.0.0
CORIOLIS8500(config−int) exit
Configuring a Default Route and Gateway
To configure the default route for data routing out of the subnet or VLAN, enter the following commands (the address of the local router is 68.187.127.1):
CORIOLIS8500(config) ip default−gateway 68.187.127.1
CORIOLIS8500(config) end
41
Configuring Port Speed and Duplex
To configure the port speed—whether 10Mbps or 100Mbps—use the following commands:
CORIOLIS5500(config) interface fastethernet 2/3
CORIOLIS5500(config−int) speed 100
CORIOLIS5500(config−int) duplex full
The auto command can be used when the port on the other side is manually set. Links should not be configured with the auto setting on both devices connecting the links because both sides will try to determine the speed on the other side of the link and neither will agree.
You can change the port duplex from full duplex to half duplex, as shown in the following commands:
CORIOLIS8500(config) interface fastethernet 0/1
CORIOLIS8500(config−int) speed auto
CORIOLIS8500(config−int) duplex half
Enabling SNMP Contact
To set the SNMP contact for RMON support, configure your switch with a contact name, location, and chassis identification to make the device easily identifiable by an SNMP management station. You can set the SNMP system contact, location, serial number, and, most importantly, the community that is the same as the community configured on your SNMP management station. You can configure these items as shown here in the same order as discussed, from the Global Configuration mode prompt:
CORIOLIS8500(config) snmp−server contact Joe Snow
CORIOLIS8500(config) snmp−server location Coriolis Wiring Closet
CORIOLIS8500(config) snmp−server chassis−id 987654321
CORIOLIS8500(config) snmp−server community coriolis
Configuring a Set/Clear−Based CLI Switch
In this section, you’ll walk through the basic configuration of the Set/Clear
command−based CLI switches. Although these tasks are not all mandatory, completing them will help you to better manage your switches.
Logging On to a Switch
To begin configuring your switch, do the following:
1.Connect the console cable and connector to a terminal or PC and power on the switch. The switch will then go through its initial POST, which runs diagnostics and checks for the reliability of the switch components.
2.Once the POST has completed successfully, the initial prompt should show a User EXEC mode prompt:
Enter Password:
3.No password has been configured at this point, so just press the Enter key to continue.
4.Cisco switches have two levels of access by default: User EXEC mode and Privileged EXEC mode. User EXEC mode will allow you to do some basic tasks, such as show the port or VLAN information. To get more advanced configuration options, you will need to enter Privileged EXEC mode. Use the following command to enter Privileged EXEC mode:
42