Basic IOS Navigation

When navigating Cisco devices there are some very helpful and important things to know.  Cisco considers themselves industry leaders (rightfully so) and they also consider themselves a software company.  Sure the physical infrastructure and hardware device you have are important, but if you don't understand the software running it all things might get very very expensive.  To navigate Cisco software proficiently takes practice and a willingness to learn.  Long before getting into more complicated concepts it is best to learn how to navigate the software and how it works so you don't have to reference a manual over and over.  In reality this part is not that complicated - it's like learning how to navigate DOS or Linux structures.

Basic Prompts

The prompt that you see will tell you exactly where you are and what type of privileges you have in the device.  You can read about user levels here http://ciscoccent.blogspot.com/2013/10/user-levels.html but there is a little more to it.

The first prompt you'll likely see is the User Exec and it is always displayed as hostname>
The prompt I find myself working in most often is the Privileged Exec - this is where you'll verify much of the configuration and troubleshooting.  It is always displayed as hostname#
When you are adding, removing, or editing most types of configurations you'll be in the Global Configuration mode and it is always displayed as  hostname(config)#

There are many versions and additions to the Global Configuration prompt that will tell you where you are at, but not necessarily exactly what you are editing.  There are also many cases where the prompt will not have enough room to display everything you are editing.  The two cases below show an Interface Config (does not display which interface you are in, but you should be able to figure that out) and two different line configs (one for vty lines 0-4 and one for the console line)



Shortcut Keys

 Like every piece of software, Cisco has a few shortcut keys that will save you a lot of time over your career of configuring their equipment.
  • / Move the cursor back or forward one space
  • Scroll backward through previously entered commands - mode sensitive
  • ↓ Scroll forward through command history
  • Ctrl+A  Move cursor to beginning of line
  • Ctrl+E  Move cursor to end of line
  • Ctrl+L  Reprint the current line
  • Ctrl+U  Erases the line
  • Ctrl+W Erases the previous word
  • Ctrl+K  Erase characters following the current cursor position
  • Ctrl+X  Erase all characters preceding the current cursor position
  • Ctrl+C  Exit configuration mode (goes to Privileged Exec)
  • Ctrl+Shift+6  Aborts the current command - helpful for time intensive things such as IP Domain Lookup (acts like a ctrl+c does in Windows CLI) 
Shortcut keys for commands
  • TAB completes a partial word
  • ? shows potential commands that begin with the preceding letter(s)
    • Uses:  
      • en? displays all commands currently available in your location that begin with the letters "en"
      • enable ? displays available commands that can follow "enable" and also generates information regarding what the following syntax is
  • This image walks you through the first use of the "?" as displayed above and demonstrates using it to query what the next part of the command should be as explained in the second use - this is a powerful tool that you should become very familiar with unless you have the world's most impressive memory.

No comments:

Cisco IOS Introduction

What is Cisco IOS you ask?  It is the operating system that runs Cisco's network devices.  This operating system allows the hardware to become flexible and malleable with respect to your network application.  It was once told to me that Cisco considers itself more of a software vendor than a hardware vendor - this is pretty much true when you consider that just plugging things into a switch or router with an idea in mind does nothing except establish physical connectivity; the true magic of bringing networks to life and securing them happens within the IOS.

Cisco IOS comes in many flavors for all of its devices.  It is not uncommon to run into scenarios where certain commands, protocols, or functions are not available simply because of the IOS version that is being used, likewise, it is also not uncommon to find versions of the IOS for other versions of the device that have additional capabilities.

Cisco recommends giving four points important consideration when considering upgrading or implementing an IOS on your device(s).

  1. Check to be sure your hardware is supported
    • Use the Cisco Product Documentation section of your Documentation CD
    • Use the Cisco Feature Navigator Tool
  2. Check Feature Support
    • Run #show version and record the version of software you are using
    • Use the Output Interpreter Tool to find potential issues and fixes
      • I RECOMMEND running all of your IOS versions at least once a year to determine if there are upgrades you should be using to close any "flaws" or potential problems, security or otherwise, with the IOS version you are using.
  3. Choose Cisco IOS Release Version
    • Verify the one you are looking for supports the features you want, your hardware, and is compatible with the memory of your device
    • Release format is:  A,B(C)D
      • A, B, C are numbers and D (if shown) is a letter
        • A,B are major releases
        • C is a maintenance release/version (bug fixes)
        • D is not a major release, but an extension of the major release it is attached to (contains new features usually)
  4. Memory Requirements
    • Make sure your device meets the memory requirements for the particular image you are looking at - DRAM, Packet Memory, Flash Memory
Your devices have to be registered to access the IOS downloads.  IOS downloads typically come as a .bin file.

For more detailed basic IOS information you can reference Cisco's page here
No comments:
Labels: , , ,

User Levels

In Cisco devices there is a hierarchical structure of modes for access levels and permissions.  

User EXEC:
  • User EXEC mode gives you Level 1 privileges which allow access to very basic functions of the network device.  Even though this level is severely restricted in terms of what can be executed from it there is still damage that can be done from this level.
  • Most properly hardened devices default to User EXEC mode when you first log in.   You can verify that you are in this mode by looking at the prompt.  In Cisco switches, routers, and firewalls this prompt will look like:   hostname>  
Privileged EXEC:
  • Privileged EXEC mode gives you level 15 privileges.  With level 15 privilege you have complete administrative control over the network device.  The only thing you cannot configure with this privilege level would be something like rommon or similar service that has to be configured outside of the normal operating system.  
  • Privileged exec mode looks like:  hostname#
Privilege Levels 0, 2-14
  • Yes these levels do exist and you can custom define their capabilities.  Most admins will look over them because in SMB they usually aren't necessary simply due to the smaller staff.  When you enter large organizations though and part of your team needs access to do things like verify traffic flowing through a port, but not make any configuration changes you will see these other levels being utilized more often.
Global Configuration and Other Modes
  • Cisco will state that there are other configuration modes outside of the User and Privileged EXEC.  Personally I tend to look at these as sub-configuration modes because in order to enter almost all of those modes you need to first be Privileged EXEC (or have a custom defined level that grants access). 
  • To enter Global Configuration mode you would
    • hostname#configure terminal
    • hostname(config)#
I think it's an overkill if you are just beginning to familiarize yourself with Cisco equipment, but if you would like to learn more about the various access levels and modes this Cisco document explains them briefly and includes instructions on how to enter/exit the various modes/sub-modes.
No comments:

VLAN Basic Concept

Some of you are here because you don't know what a VLAN is.  VLAN simply stands for Virtual Local Area Network.  

A VLAN is:
  • LAN independent
  • A broadcast domain
  • A logical network
VLANs do/create:
  • Network Segmentation
  • Security
  • Network Flexibility

On Cisco switches the way each individual port is configured determines how many VLANs the port is capable of supporting.  If the port is configured as an access port it can support only one VLAN; if configured as a trunk port it can support as many VLANs as the device is capable of.  Modes of the port in this regard are configured in the global configuration mode utilizing the 'switchport mode' command under each specific interface or a range of interfaces.
Enabling trunk mode and switching to access mode on an interface:

Layer 3 devices, your router, can only support one VLAN per logical interface.  This means that if you have a trunk line from a switch with one end terminating at a router so you can enable inter-VLAN routing you simply configure sub-interfaces (create logical interfaces) on the physical port that the VLAN trunk is plugged into.  
This picture is just creating logical subinterfaces on ethernet port 1/0 of router 3 not configuring them a show ip interface brief command will show the subinterfaces after doing this:


Why are VLANs helpful?

Simply put VLANs allow you to separate network traffic.  In real world scenarios this can separate VoIP (voice over IP) networks from data networks that are traveling over the same physical infrastructure or it could allow POS (point of sale) traffic separation from other traffic.

The first example is important because VoIP traffic requires QoS (Quality of Service) to be implemented for traffic management so that your VoIP traffic gets the bandwidth and priority it needs; in this implementation of a VLAN your VoIP traffic is differentiated by its VLAN tag/association and it can be dealt with accordingly.  Have you ever been a call from your office phone or to someones physical office phone and the audio either kept cutting out or sounded like it was improperly modulated?  There could be many reasons for this, but the most common is in poor network implementation/planning when using VoIP systems.

Do you ever go to the coffee show down the street and sit there using their free WiFi?  Do you think they process credit cards over the same internet connection?  The truth of it is that they probably shouldn't for PCI compliance reasons and general network security, but most coffee shops probably do.  If they do and the POS systems are not running on a separate VLAN I could go into the coffee shop, start my laptop, connect to the WiFi and then start sniffing network packets.  Even if credit card data was encrypted I know enough about technology to know that I would not want those encrypted packets falling into a cyber criminal's hands.  

VLANs can also allow large businesses to segment and organize their network traffic.  For instance you could have a VLAN called Accounting and a VLAN called Sales.  From this point everyone in Sales would be on the VLAN names Sales and everyone in Accounting would be on the Accounting VLAN.  This ensures that accounting resources such as the MAS90 server are not accessible or even visible to those in Sales.  This adds in a layer of security because if one of your field sales reps has a virus infected laptop that he puts on the work network it will be more difficult for that virus to migrate to your accounting servers it also keeps disgruntled employees from trying to manipulate the server since by and large they will not have access to it. 

These are just a few scenarios and do not go into detail on any of the important concepts of bandwidth or security, but they give you a general idea of how VLANs can help improve network traffic management and security.

Keep in mind:  
  • You CANNOT communicate VLAN to VLAN without routing the traffic between them.  This can be done in a router or even a multi-layer switch.
  • The dot1q (802.1X) VLAN tag is added to the header so a router can route the packet.
No comments:

Types and Ranges of IPv4 "cast" Packets

In IPv4 there are several types of "cast" packets you will hear about.  Each of these works within an assigned space and has specific functions.

Broadcast Packets
  • Reserved IP of 255.255.255.255
  • All "broadcast traffic" of the local network are sent on this IP and considered broadcast packets.
Multicast Packets
  • Sent on Class D address space in the range of:  224.x.x.x to 239.x.x.x
  • Use less "network resources" than Broadcast packets because only devices programmed to listen and use types of packets will pickup this traffic (ie. Cisco CDP)
Unicast Packets
  • Use standard addressable class A, B, C space.
  • Packets sent directly to a specific device on the network.
Directed Broadcast
  • Will use the Layer 3 broadcast address of the local subnet to broadcast to on the LAN.
  • The local broadcast address is always the last address of the subnet. 
    • On network 192.168.1.0/24 the directed broadcast or local broadcast address is 192.168.1.255
    • On network 10.10.0.0/16 the directed broadcast or local broadcast address is 10.10.255.255
    • On network 172.16.14.0/23 the directed broadcast address is 172.16.15.255

Important things to remember:

A Layer 2 switch is obligated to flood all broadcast, multicast, and unknown unicast packets out all interfaces except the interface the packet came in on until it learns port-to-mac association.

Cisco switches by default do not learn mac addresses from multicast packets, you can enable this functionality as a network admin.

Layer 3 devices filter broadcasts.

Another way to look at this is switches create one broadcast domain (255.255.255.255) and multiple collision domains (see different article for definition).  Routers separate broadcast domains.  The concept might seem simple, but it is a very important lesson.
1 comment:

What is CLI?

The first thing you should know when jumping into the realm of Cisco products is about CLI.  About 10 years ago when I jumped back into the computer world after being out of it for nearly a decade I saw a sysadmin using the black box in Windows to do basic things and I laughed.  Shortly after that I saw another using the terminal window in Linux and I laughed.  Then I saw someone using a terminal window in MAC OS and I was scratching my head.  Over time I came to notice this happening on servers, standard desktops, network infrastructure, web and cloud management platforms, all over the place really.  I was under the impression back around 2000 that these black windows that brought you to a command prompt were old school and hearkened back to my MS-Dos days.  As I brought myself up to speed with operating systems and interconnected devices I found that the command line interface (CLI) was not a pretty way of doing things, but a powerful way of doing things quickly.  In additional to being more powerful than the graphic user interface (GUI) it is also faster.

Most people these days want to see a pretty GUI and click around for a while until they get to what they need.  The fact is when you do things that way you sometimes do not get all of the options meaning that some things can only be done in CLI.  Here's a case in point:  For you Windows 7 Home edition users, have you ever tried to go into your user accounts and enable the system administrator?  The administrator is a built in account and comes in handy during virus infestations because it usually remains a clean account from which someone can clean.  I spent about 15 minutes once trying to figure out how to enable that account before I hit CTRL + R, typed in cmd, and at the command prompt typed in "net user administrator [make up password here] /active:yes" it was enabled in less than 45 seconds.  In some cases there might be permissions issues when doing this, but overall many things can be done very quickly when you know what you are doing.

Cisco enterprise products run the same way.  In many of the new products there are GUIs that you can enable if you want to, but doing so can open the switch, router, or device up to other security problems.  When you enable a GUI in a router you are activating http on port 80.  What's wrong with doing this?  Nothing if you know how to secure your device, but even though the CPU and memory can probably handle this if you are looking to keep your resource overhead down you probably would not want to activate services that are unnecessary.  You can often tell the difference in the field between the experienced and the inexperienced techs in many cases by their desire to use either the CLI or GUI.

Many people are daunted by Cisco's CLI, but really it's not that bad.  In future articles I will go into how it works, some of its quirks, and how to start programming your network.  Though it is not thought of by end users, network design/function is just as important as the applications or resources that it brings to you.
No comments:

Introduction to Cisco

Are you curious how Cisco devices work?  By Cisco devices I'm not referring to the Linksys routers they were making or even necessarily their SMB products; I'm talking about the devices that make the world run - enterprise and edge routers/switches.  These devices connect the fabric backbone of the internet and allow the safe integration of devices across the world.  After years of networking experience I am working on official certifications to move on to the next career step.  I am going to chronicle here some of the networking and related security concepts as well as many of the CLI commands (basic and advanced) for anyone to reference.  If you want to see something I am missing or if you are curious how things across the internet work let me know and I'll put up some information about it.
No comments:
Subscribe to: Posts (Atom)