Goals
Part 1: Verify Default Switch Configuration
Part 2: Configure basic switch configuration
Part 3: Configure the MOTD banner
Part 4: Save Configuration File to NVRAM
Part 5: Configure S2
Background/Scene
In this exercise, you perform basic switch configuration tasks. You want to protect access to the command line interface (CLI) and console ports using encrypted and clear text passwords. You will also learn how to configure a banner so that users logged into the switch can see this message. These message banners are also used to warn unauthorized users against access to the device.
Note: Catalyst 2960 switches default to IOS version 12.2 in Packet Tracer. If necessary, the IOS version can be updated from the file server in the Packet Tracer topology. Then, if you need to use this version, you can configure the switch to use IOS version 15.0.
Part 1: Verifying the Default Switch Configuration
Step 1: Enter privileged EXEC mode.
In privileged EXEC mode, you can use all switch commands. However, because many privileged commands configure operating parameters, privileged access should be password-protected to prevent unauthorized use.
The privileged EXEC mode command set includes those available in user EXEC mode, many additional commands, and the configure command used to gain access to configuration mode.
a. Click R1 and then click the CLI tab. Press the Enter key.
b. Enter the enable command to enter privileged EXEC mode:
Open the configuration window for S1
Switch> enable
Switch#
Note the change in prompt in privileged EXEC mode.
Step 2: Check current switch configuration.
Enter the show running-config command.
Switch# show running-config
Please answer the following questions:
How many Fast Ethernet interfaces does this switch have?
How many Gigabit Ethernet interfaces does this switch have?
This switch is configured with the following interfaces:
-
Fast Ethernet interface (FastEthernet): A total of 24 Fast Ethernet interfaces from
FastEthernet0/1toFastEthernet0/24. -
Gigabit Ethernet interface (GigabitEthernet): There are two Gigabit Ethernet interfaces, namely
GigabitEthernet0/1andGigabitEthernet0/2.
What is the range of vty line values displayed?
The range of vty lines is:
-
line vty 0 4: This means that the number of the vty line ranges from 0 to 4. -
line vty 5 15: This represents another range, with vty lines numbered from 5 to 15.
Which command displays the current contents of non-volatile random access memory (NVRAM)?
To display the current contents of non-volatile random access memory (NVRAM), you can use the following command:
#configure terminal startup-config
Why does the switch return “startup-config is not present”?
There may be several reasons why the switch returns “startup-config is not present”:
-
Configuration Not Saved: This message will appear if the configuration has not been saved on the switch, or the saved file is not in NVRAM. You can use the
write memoryorcopy running-config startup-configcommand to save the current running configuration to NVRAM. -
Corrupted NVRAM: If the NVRAM is faulty or corrupted, it will also cause this message to be displayed. In this case, the NVRAM may need to be replaced or repaired.
-
Configuration Lost: This message can also be caused if the configuration file in NVRAM is lost or deleted. In this case, you need to reconfigure the switch and make sure to save the configuration to NVRAM.
Part 2: Creating a basic switch configuration
Step 1: Assign a name to the switch.
To configure parameters on the switch, you may need to switch between various configuration modes. Note the change in prompts when navigating the switch.
Switch configure terminal
Switch(config)# hostname S1
S1(config)# exit
S1#
Step 2: Secure access to the console line.
To protect access to the console line, enter config-line mode and set the console password to letmein.
S1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# line console 0
S1(config-line)# password letmein
S1(config-line)# login
S1(config-line)# exit
S1(config)# exit
%SYS-5-CONFIG_I: Configured from console by console
S1#
Supplement 1: Line configuration mode
Line configuration mode is a specific configuration mode of Cisco switches and routers used to configure terminal connection lines (such as console lines or virtual terminal lines). In this mode, you can set various parameters to manage the behavior of terminal connections, including passwords, login verification, logging, etc. In line configuration mode, you can configure specific terminal lines for enhanced security and control.
The following are some common commands and configuration options in line configuration mode:
-
password: Used to set the password that users who connect to this line need to provide. -
login: Enables login verification, requiring users to provide a valid username and password when connecting. -
logging: Used to configure logging options to record activities related to this line. -
exec-timeout: Set the automatic disconnection time of the terminal session. -
transport input: Specifies the transport protocol that can be used to connect to the line, such as SSH, Telnet, etc.
Line configuration mode allows administrators to personalize endpoint connections to ensure network security and compliance. This is important for protecting physical or remote access to a switch or router.
Question: Why is the login command needed?
The login command enables login authentication, which is an important part of securing line access to the console. When the login command is enabled, it forces users to provide a valid username and password during console access to authenticate the user. This is for security reasons to ensure that only authorized users have access to the switch’s console.
If the login command is not enabled, anyone can physically access the switch’s console port and immediately gain full control without providing any credentials. This will pose a potential threat to network security because unauthorized users can access and modify the switch configuration, and even endanger the stability of the network.
By enabling the login command, the switch will require users to provide a username and password, ensuring that only authorized users can access and configure the switch. This increases the security of the network and helps prevent unauthorized access and potential threats.
Step 3: Verify that console access is protected.
Exit privileged mode and verify whether the console port password is valid.
S1# exit
Switch con0 is now available
Press RETURN to get started.
User Access Verification
Password:
S1>
Note: If the switch does not prompt you to enter a password, it means that you have not configured the login parameter in step 2.
Step 4: Protect privileged mode access.
Set the enable password to c1$c0. This password is used to protect access to privileged mode.
Note: The 0 in c1$c0 is zero, not a capital O. This password will not be considered the correct password until you encrypt it in step 8.
S1> enable
S1# configure terminal
S1(config)# enable password c1$c0
S1(config)# exit
%SYS-5-CONFIG_I: Configured from console by console
S1#
Step 5: Verify that privileged mode access is secure.
a. Enter the exit command again to log out of the switch.
b. Press the Enter key and you will be prompted to enter your password this time:
User Access Verification
Password:
c. The first password is the console password you configured for line con 0 . Enter this password to return to user EXEC mode.
d. Enter the command to access privileged mode.
e. Enter the second password you configured to protect privileged EXEC mode.
f. Verify your configuration by examining the contents of the run configuration file:
S1# show running-config
Note that both the console and enable passwords are in clear text. This could pose a security risk if someone peeks into your operations or gains access to configuration files stored in a backup location.
Step 6: Configure encryption A password protects access to privileged mode.
The enable secret command should be used instead of the enable password command to configure a new encryption password. Set the enable encryption password to itsasecret.
S1# config t
S1(config)# enable secret itsasecret
S1(config)# exit
S1#
Note: The enable secret password overrides the enable password. If both passwords are configured on the switch, you must enter the enable secret password to enter privileged EXEC mode.
Step 7: Verify that the enable encryption password has been added to the configuration file.
Enter the show running-config command again to verify that the new enable encryption password has been configured.
Note: You can abbreviate show running-config to
S1# show run
Question: Why is it displayed when enabling encrypted passwords?
Displayed as: $1$mERr$ILwq/b7kc.7X/ejA4Aosn0
Cause: enable secret is the command used to set the privileged mode password. Passwords are often stored in encrypted form for added security. The password provided appears to be encrypted and begins with $1$ followed by a string of characters representing the encrypted password. In the enable secret command, the number “5” specifies the use of the MD5 algorithm for password encryption. This number is a configuration flag on the Cisco device that tells the device which algorithm to use to encrypt the password. In a real configuration, you can use other numbers or keywords to select a different encryption algorithm, but usually “5” means MD5.
Why is the displayed enable encryption password different from the one we configured?
Step 8: Encrypt the enable password and console password.
As you can see in step 7, the enable encryption password is encrypted, but the enable password and the Console password are still shown in clear text. Now we encrypt these clear text passwords using the service password-encryption command.
S1# config t
S1(config)# service password-encryption
S1(config)# exit
Question: If you configure additional passwords on the switch, will they appear in the configuration file as clear text or encrypted? Please explain why.
Encrypted form, in practice we see that after the enable password is reset to 123, the configuration file in the switch still displays the encrypted form.
service password-encryption will encrypt all passwords using Cisco’s private method.
The mark is 7. When show run checks the password, 5 is the md5 encryption result, which is the secret.
After service password-encryption, the plaintext cannot be obtained reversely through this command and can only be reset.
Part 3: Configuring the MOTD banner
Step 1: Configure the Message of the Day (MOTD) banner.
The Cisco IOS command set includes a feature that displays messages to anyone who logs into the switch. These messages are called message of the day (MOTD) banners. You should enclose the slogan text in quotation marks, or you can use other delimiters, but the delimiter cannot be the same as any character that appears in the MOTD string.
S1# config t
S1(config)# banner motd “This is a secure system. Authorized Access Only!”
S1(config)# exit
%SYS-5-CONFIG_I: Configured from console by console
S1#
Question:
When is this banner displayed?
Why should every switch have a MOTD banner?
Appears at the front of the terminal or session window when a user logs into the switch.
The MOTD slogan exists for several important reasons:
-
Provide warning information: MOTD banners can be used to provide warning information, such as network security policies, license agreements, or important notices. This helps users understand the environment and rules within which they interact with the switch.
-
Enhanced security: MOTD slogans can be used to emphasize the security of the system and remind users that only authorized access is allowed. This helps prevent unauthorized access and operations.
-
Compliance Requirements: Some industries and regulations require specific warning messages or licensing terms to be displayed on network devices. These compliance requirements can be met through the MOTD banner.
-
Convey important information: MOTD banners can be used to convey important information, such as ways to contact support or notifications of network emergencies. This helps users get necessary help or guidance.
Therefore, every switch should have a properly configured MOTD banner to improve network security, comply with regulations, and convey necessary information.
Part 4: Saving and verifying configuration files to NVRAM
Step 1: Use the show run command to verify whether the configuration is accurate.
Save the configuration file. You have completed the basic configuration of the switch. Now back up the running configuration file to NVRAM to ensure that changes are not lost due to system reboots or power outages.
S1# copy running-config startup-config
Destination filename [startup-config]?[Enter]
Building configuration…
[OK]
Close configuration window for S1
Question:
copy running-config startup-config What is the shortest abbreviation for the command?
On Cisco switches, the copy running-config startup-config command can be abbreviated to copy run start.
Check the startup configuration file. Which command displays the contents of NVRAM?
To check the contents of NVRAM, you can use the show startup-config command. This will display the contents of the boot configuration file saved in NVRAM.
Are all previously entered changes recorded in the file?
What is saved in NVRAM is the saved configuration file, not all previously entered changes. Only configuration changes saved explicitly via write memory, copy running-config startup-config, or similar commands will be saved to NVRAM. Other unsaved temporary configuration changes will be lost when the device is restarted. Therefore, only saved configuration changes will be included in the boot configuration file in NVRAM.
Part 5: Configuring S2
You have completed configuring S1. You will now configure S2. If you don’t remember the command, see Parts 1 through 4 for help.
Configure S2 with the following parameters:
Open the configuration window for S2
a. Device name: S2
b. Use a letmein password to protect console access.
c. Configure enable password c1$c0 and enable encryption password itsasecret.
d. Configure appropriate messages for users logging into the switch.
e. Encrypt all clear text passwords.
f. Make sure the configuration is correct.
g. Save the configuration file to avoid losing it when the switch is powered off.
enable configure t hostname S2 line console 0 password letmein login enable password c1$c0 enable secret itssecret service password-encryption copy running-config startup-config exit exit
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. Cloud native entry-level skills treeHomepageOverview 16,788 people are learning the system