Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(18)EW

Configuring the Switch for the First Time

This chapter describes how to initially configure a Catalyst 4500 series switch.

The information presented here supplements the administration information and procedures in this publication: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2SR, at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frfabout.html

This chapter includes the following major sections:

•Default Switch Configuration

•Configuring the Switch

•Controlling Access to Privileged EXEC Commands

•Recovering a Lost Enable Password

•Modifying the Supervisor Engine Startup Configuration

Note For complete syntax and usage information for the switch commands used in this chapter, look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If the command is not found in the Catalyst 4500 Command Reference, it is located in the larger Cisco IOS library. Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html

Default Switch Configuration

This section describes the default configurations for the Catalyst 4500 series switch. Table 3-1 shows the default configuration settings for each feature.

Configuring the Switch

The following sections describe how to configure your switch:

•Using Configuration Mode to Configure Your Switch

•Checking the Running Configuration Settings

•Saving the Running Configuration Settings to Your Start-up File

•Reviewing the Configuration in NVRAM

•Configuring a Default Gateway

•Configuring a Static Route

Using Configuration Mode to Configure Your Switch

To configure your switch from configuration mode, perform this procedure:

Step 1 Connect a console terminal to the console interface of your supervisor engine.

Step 2 After a few seconds, you will see the user EXEC prompt (Switch>). Now, you may want to enter privileged EXEC mode, also known as enable mode. Type enable to enter enable mode:

Switch> enable

Note You must be in enable mode to make configuration changes.

The prompt will change to the enable prompt (#):

Switch#

Step 3 At the enable prompt (#), enter the configure terminal command to enter global configuration mode:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#

Step 4 At the global configuration mode prompt, enter the interface type slot/interface command to enter interface configuration mode:

Switch(config)# interface fastethernet 5/1

Switch(config-if)# 

Step 5 In either of these configuration modes, enter changes to the switch configuration.

Step 6 Enter the end command to exit configuration mode.

Step 7 Save your settings. (See the "Saving the Running Configuration Settings to Your Start-up File" section.)

Your switch is now minimally configured and can boot with the configuration you entered. To see a list of the configuration commands, enter ? at the prompt or press the help key in configuration mode.

Checking the Running Configuration Settings

To verify the configuration settings you entered or the changes you made, enter the show running-config command at the enable prompt (#), as shown in this example:

Switch# show running-config

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

<...output truncated...>

!

line con 0

 transport input none

line vty 0 4

 exec-timeout 0 0

 password lab

 login

 transport input lat pad dsipcon mop telnet rlogin udptn nasi

!

end

Switch#

Saving the Running Configuration Settings to Your Start-up File

Caution This command saves the configuration settings that you created in configuration mode. If you fail to do this step, your configuration will be lost the next time you reload the system.

To store the configuration, changes to the configuration, or changes to the startup configuration in NVRAM, enter the copy running-config startup-config command at the enable prompt (#), as follows:

Switch# copy running-config startup-config

Reviewing the Configuration in NVRAM

To display information stored in NVRAM, enter the show startup-config EXEC command.

The following example shows a typical system configuration:

Switch# show startup-config

Using 1579 out of 491500 bytes, uncompressed size = 7372 bytes

Uncompressed configuration from 1579 bytes to 7372 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service compress-config

!

hostname Switch

!

!

ip subnet-zero

!

!

!

!

interface GigabitEthernet1/1

 no snmp trap link-status

!

interface GigabitEthernet1/2

 no snmp trap link-status

!--More-- 

<...output truncated...>

!

line con 0

 exec-timeout 0 0

 transport input none

line vty 0 4

 exec-timeout 0 0

 password lab

 login

 transport input lat pad dsipcon mop telnet rlogin udptn nasi

!

end

Switch# 

Configuring a Default Gateway

Note The switch uses the default gateway only when it is not configured with a routing protocol.

Configure a default gateway to send data to subnets other than its own when the switch is not configured with a routing protocol. The default gateway must be the IP address of an interface on a router that is directly connected to the switch.

To configure a default gateway, perform this task:

Switch(config)# ip default-gateway IP-address

Switch# show ip route

This example shows how to configure a default gateway and how to verify the configuration:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip default-gateway 172.20.52.35

Switch(config)# end

3d17h: %SYS-5-CONFIG_I: Configured from console by console

Switch# show ip route

Default gateway is 172.20.52.35

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

Switch# 

Configuring a Static Route

If your Telnet station or SNMP network management workstation is on a different network from your switch and a routing protocol has not been configured, you might need to add a static routing table entry for the network where your end station is located.

To configure a static route, perform this task:

Switch(config)# ip route dest_IP_address mask 
{forwarding_IP | vlan vlan_ID} 

Switch# show running-config

This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.10.5.10 on the switch with a subnet mask and IP address 172.20.3.35 of the forwarding router:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip route 171.10.5.10 255.255.255.255 172.20.3.35

Switch(config)# end

Switch#

This example shows how to use the show running-config command to confirm the configuration of the static route:

Switch# show running-config

Building configuration...

.

<...output truncated...>

.

ip default-gateway 172.20.52.35

ip classless

ip route 171.10.5.10 255.255.255.255 172.20.3.35

no ip http server

!

line con 0

 transport input none

line vty 0 4

 exec-timeout 0 0

 password lab

 login

 transport input lat pad dsipcon mop telnet rlogin udptn nasi

!

end

Switch#

This example shows how to use the ip route command to configure the static route IP address 171.20.5.3 with subnet mask and connected over VLAN 1 to a workstation on the switch:

Switch# configure terminal

Switch(config)# ip route 171.20.5.3 255.255.255.255 vlan 1

Switch(config)# end

Switch# 

This example shows how to use the show running-config command to confirm the configuration of the static route:

Switch# show running-config

Building configuration...

.

<...output truncated...>

.

ip default-gateway 172.20.52.35

ip classless

ip route 171.20.5.3 255.255.255.255 Vlan1

no ip http server

!

!

x25 host z

!

line con 0

 transport input none

line vty 0 4

 exec-timeout 0 0

 password lab

 login

 transport input lat pad dsipcon mop telnet rlogin udptn nasi

!

end

Switch# 

Controlling Access to Privileged EXEC Commands

The procedures in these sections let you control access to the system configuration file and privileged EXEC commands:

•Setting or Changing a Static enable Password

•Using the enable Password and enable secret Commands

•Setting or Changing a Privileged Password

•Setting TACACS+ Password Protection for Privileged EXEC Mode

•Encrypting Passwords

•Configuring Multiple Privilege Levels

Setting or Changing a Static enable Password

To set or change a static password that controls access to the enable mode, perform this task:

This example shows how to configure an enable password as "lab" at the privileged EXEC mode:

Switch# configure terminal

Switch(config)# enable password lab

Switch(config)#

For instructions on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Using the enable Password and enable secret Commands

To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands configure an encrypted password that you must enter to access the enable mode (the default) or any other privilege level that you specify.

We recommend that you use the enable secret command.

If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

To configure the switch to require an enable password, perform either one of these tasks:

When you enter either of these password commands with the level option, you define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

If you enable the service password-encryption command, the password you enter is encrypted. When you display the password with the more system:running-config command, the password displays the password in encrypted form.

If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another Catalyst 4500 series switch configuration.

Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. See the "Recovering a Lost Enable Password" section for more information.

For information on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Setting or Changing a Privileged Password

To set or change a privileged password, perform this task:

Switch(config-line)# password password

For information on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Setting TACACS+ Password Protection for Privileged EXEC Mode

For complete information about TACACS+ and RADIUS, refer to these publications:

•The "Authentication, Authorization, and Accounting (AAA)" chapter in the Cisco IOS Security Configuration Guide, Release 12.2, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/secur_c/scprt1/index.htm

•Cisco IOS Security Command Reference, Release 12.2, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/secur_r/index.htm

To set the TACACS+ protocol to determine whether a user can access privileged EXEC mode, perform this task:

When you set TACACS password protection at the privileged EXEC mode, the enable EXEC command prompts you for a new username and a new password. This information is then passed to the TACACS+ server for authentication. If you are using the extended TACACS, another extension to the older TACACS protocol that provides additional functionality, it also passes any existing UNIX user identification code to the TACACS+ server.

An extension to the older TACACS protocol, supplying additional functionality to TACACS. Extended TACACS provides information about protocol translator and router use. This information is used in UNIX auditing trails and accounting files.

Note When used without extended TACACS, the enable use-tacacs command allows anyone with a valid username and password to access the privileged EXEC mode, creating a potential security risk. This problem occurs because the query resulting from entering the enable command is indistinguishable from an attempt to log in without extended TACACS.

Encrypting Passwords

Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.

To configure the Cisco IOS software to encrypt passwords, perform this task:

Encryption occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP) neighbor passwords. The service password-encryption command keeps unauthorized individuals from viewing your password in your configuration file.

Caution The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures.

Although you cannot recover a lost encrypted password (that is, you cannot get the original password back), you can regain control of the switch after having lost or forgotten the encrypted password. See the "Recovering a Lost Enable Password" section for more information.

For information on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Configuring Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. If you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to fewer users.

The procedures in the following sections describe how to configure additional levels of security:

•Setting the Privilege Level for a Command

•Changing the Default Privilege Level for Lines

•Logging In to a Privilege Level

•Exiting a Privilege Level

•Displaying the Password, Access Level, and Privilege Level Configuration

Setting the Privilege Level for a Command

To set the privilege level for a command, perform this task:

Switch(config)# enable password level level 
[encryption-type] password 

For information on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Changing the Default Privilege Level for Lines

To change the default privilege level for a given line or a group of lines, perform this task:

For information on how to display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Logging In to a Privilege Level

To log in at a specified privilege level, perform this task:

Switch# enable level 

Exiting a Privilege Level

To exit to a specified privilege level, perform this task:

Switch# disable level 

Displaying the Password, Access Level, and Privilege Level Configuration

To display detailed password information, perform this task:

This example shows how to display the password and access level configuration:

Switch# show running-config

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname Switch

!

boot system flash sup-bootflash

enable password lab

!

<...output truncated...>

This example shows how to display the privilege level configuration:

Switch# show privilege

Current privilege level is 15

Switch# 

Recovering a Lost Enable Password

Note For more information on the configuration register which is preconfigured in NVRAM, see "Configuring the Software Configuration Register" section.

Perform these steps to recover a lost enable password:

Step 1 Connect to the console interface.

Step 2 Stop the boot sequence and enter ROM monitor by pressing Ctrl-C during the first 5 seconds of bootup.

Step 3 Configure the switch to boot-up without reading the configuration memory (NVRAM).

Step 4 Reboot the system.

Step 5 Access enable mode (this can be done without a password if a password has not been configured).

Step 6 View or change the password, or erase the configuration.

Step 7 Reconfigure the switch to boot-up and read the NVRAM as it normally does.

Step 8 Reboot the system.

Modifying the Supervisor Engine Startup Configuration

These sections describe how the startup configuration on the supervisor engine works and how to modify the configuration register and BOOT variable:

•Understanding the Supervisor Engine Boot Configuration

•Configuring the Software Configuration Register

•Specifying the Startup System Image

•Controlling Environment Variables

Understanding the Supervisor Engine Boot Configuration

The supervisor engine boot process involves two software images: ROM monitor and supervisor engine software. When the switch is booted or reset, the ROMMON code is executed. Depending on the NVRAM configuration, the supervisor engine either stays in ROMMON mode or loads the supervisor engine software.

Two user-configurable parameters determine how the switch boots: the configuration register and the BOOT environment variable. The configuration register is described in the "Modifying the Boot Field and Using the boot Command" section. The BOOT environment variable is described in the "Specifying the Startup System Image" section.

Understanding the ROM Monitor

The ROM monitor (ROMMON) is invoked at switch bootup, reset, or when a fatal exception occurs. The switch enters ROMMON mode if the switch does not find a valid software image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROMMON mode. From ROMMON mode, you can manually load a software image from bootflash or a Flash disk, or you can boot up from the management interface. ROMMON mode loads a primary image from which you can configure a secondary image to boot up from a specified source either locally or through the network using the BOOTLDR environment variable. This variable is described in the "Switch#" section.

You can also enter ROMMON mode by restarting the switch and then pressing Ctrl-C during the first five seconds of startup. If you are connected through a terminal server, you can escape to the Telnet prompt and enter the send break command to enter ROMMON mode.

Note Ctrl-C is always enabled for five seconds after you reboot the switch, regardless of whether the configuration-register setting has Ctrl-C disabled.

The ROM monitor has these features:

•Power-on confidence test

•Hardware initialization

•Boot capability (manual bootup and autoboot)

•File system (read-only while in ROMMON)

Configuring the Software Configuration Register

The switch uses a 16-bit software configuration register, which allows you to set specific system parameters. Settings for the software configuration register are preconfigured in NVRAM.

Following are some reasons you might want to change the software configuration register settings:

•To select a boot source and default boot filename

•To control broadcast addresses

•To set the console terminal baud rate

•To load operating software from Flash memory

•To recover a lost password

•To manually boot the system using the boot command at the bootstrap program prompt

•To force an automatic bootup from the system bootstrap software (boot image) or from a default system image in onboard Flash memory, and read any boot system commands that are stored in the configuration file in NVRAM

Caution To avoid possibly halting the Catalyst 4500 series switch switch, remember that valid configuration register settings might be combinations of settings and not just the individual settings listed in Table 3-2. For example, the factory default value of 0x0102 is a combination of settings.

Table 3-2 lists the meaning of each of the software configuration memory bits. Table 3-3 defines the boot field.

Modifying the Boot Field and Using the boot Command

The configuration register boot field determines whether the switch loads an operating system image and, if so, where it obtains this system image. The following sections describe how to use and set the configuration register boot field and the procedures you must perform to modify the configuration register boot field. In ROMMON, you can use the confreg command to modify the configuration register and change boot settings.

Bits 0 through 3 of the software configuration register contain the boot field.

Note The factory default configuration register setting for systems and spares is 0x0102.

When the boot field is set to either 00 or 01 (0-0-0-0 or 0-0-0-1), the system ignores any boot instructions in the system configuration file and the following occurs:

•When the boot field is set to 00, you must boot up the operating system manually by issuing the boot command at the system bootstrap or ROMMON prompt.

•When the boot field is set to 01, the system boots the first image in the bootflash single in-line memory module (SIMM).

•When the entire boot field equals a value between 0-0-1-0 and 1-1-1-1, the switch loads the system image specified by boot system commands in the startup configuration file.

You can enter the boot command only, or enter the command and include additional boot instructions, such as the name of a file stored in Flash memory, or a file that you specify for booting from a network server. If you use the boot command without specifying a file or any other boot instructions, the system boots from the default Flash image (the first image in onboard Flash memory). Otherwise, you can instruct the system to boot up from a specific Flash image (using the boot system flash filename command).

You can also use the boot command to boot up images stored in the compact Flash cards located in slot 0 on the supervisor engine.

Modifying the Boot Field

Modify the boot field from the software configuration register. To modify the software configuration register boot field, perform this task:

Switch# show version

Switch# configure terminal 

Switch(config)# config-register value 

Switch# reload

To modify the configuration register while the switch is running Cisco IOS software, follow these steps:

Step 1 Enter the enable command and your password to enter privileged level, as follows:

Switch> enable

Password: 

Switch#

Step 2 Enter the configure terminal command at the EXEC mode prompt (#), as follows:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# 

Step 3 Configure the configuration register to 0x102 as follows:

Switch(config)# config-register 0x102

Set the contents of the configuration register by specifying the value command variable, where value is a hexadecimal number preceded by 0x (see Table 3-2).

Step 4 Enter the end command to exit configuration mode. The new value settings are saved to memory; however, the new settings do not take effect until the system is rebooted.

Step 5 Enter the show version EXEC command to display the configuration register value currently in effect; it will be used at the next reload. The value is displayed on the last line of the screen display, as shown in this sample output:

Configuration register is 0x141 (will be 0x102 at next reload)

Step 6 Save your settings. (See the "Saving the Running Configuration Settings to Your Start-up File" section. Note that configuration register changes take effect only after the system reloads, such as when you enter a reload command from the console.)

Step 7 Reboot the system. The new configuration register value takes effect with the next system boot up.

Verifying the Configuration Register Setting

Enter the show version EXEC command to verify the current configuration register setting. In ROMMON mode, enter the show version command to verify the configuration register setting.

To verify the configuration register setting for the switch, perform this task:

Switch# show version

In this example, the show version command indicates that the current configuration register is set so that the switch does not automatically load an operating system image. Instead, it enters ROMMON mode and waits for you to enter ROM monitor commands.

Switch#show version

Cisco Internetwork Operating System Software

IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Experimental

Version 12.1(20010828:211314) [cisco 105]

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Thu 06-Sep-01 15:40 by

Image text-base:0x00000000, data-base:0x00ADF444

ROM:1.15

Switch uptime is 10 minutes

System returned to ROM by reload

Running default software

cisco Catalyst 4000 (MPC8240) processor (revision 3) with 262144K bytes

of memory.

Processor board ID Ask SN 12345

Last reset from Reload

Bridging software.

49 FastEthernet/IEEE 802.3 interface(s)

20 Gigabit Ethernet/IEEE 802.3 interface(s)

271K bytes of non-volatile configuration memory.

Configuration register is 0xEC60

Switch# 

Specifying the Startup System Image

You can enter multiple boot commands in the startup configuration file or in the BOOT environment variable to provide backup methods for loading a system image.

The BOOT environment variable is also described in the "Specify the Startup System Image in the Configuration File" section in the "Loading and Maintaining System Images and Microcode" chapter of the Cisco IOS Configuration Fundamentals Configuration Guide.

Use the following sections to configure your switch to boot from Flash memory. Flash memory can be either single in-line memory modules (SIMMs) or Flash disks. Check the appropriate hardware installation and maintenance guide for information about types of Flash memory.

Using Flash Memory

Flash memory allows you to do the following:

•Copy the system image to Flash memory using TFTP

•Boot the system from Flash memory either automatically or manually

•Copy the Flash memory image to a network server using TFTP or RCP

Flash Memory Features

Flash memory allows you to do the following:

•Remotely load multiple system software images through TFTP or RCP transfers (one transfer for each file loaded)

•Boot a switch manually or automatically from a system software image stored in Flash memory (you can also boot directly from ROM)

Security Precautions

Note the following security precaution when loading from Flash memory:

Caution You can only change the system image stored in Flash memory from privileged EXEC level on the console terminal.

Configuring Flash Memory

To configure your switch to boot from Flash memory, perform the following procedure. (Refer to the appropriate hardware installation and maintenance publication for complete instructions on installing the hardware.)

Step 1 Copy a system image to Flash memory using TFTP or other protocols. Refer to the "Cisco IOS File Management" and "Loading and Maintaining System Images" chapters in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fun_c/fcprt2/fcd203.htm

Step 2 Configure the system to boot automatically from the desired file in Flash memory. You might need to change the configuration register value. See the "Modifying the Boot Field and Using the boot Command" section, for more information on modifying the configuration register.

Step 3 Save your configurations.

Step 4 Power cycle and reboot your system to verify that all is working as expected.

Controlling Environment Variables

Although the ROM monitor controls environment variables, you can create, modify, or view them with certain commands. To create or modify the BOOT and BOOTLDR variables, use the boot system and boot bootldr global configuration commands, respectively.

Refer to the "Specify the Startup System Image in the Configuration File" section in the "Loading and Maintaining System Images and Microcode" chapter of the Configuration Fundamentals Configuration Guide for details on setting the BOOT environment variable.

Note When you use the boot system and boot bootldr global configuration commands, you affect only the running configuration. To save the configuration for future use, you must save the environment variable settings to your startup configuration, which places the information under ROM monitor control. Enter the copy system:running-config nvram:startup-config command to save the environment variables from your running configuration to your startup configuration.

You can view the contents of the BOOT and BOOTLDR variables using the show bootvar command. This command displays the settings for these variables as they exist in the startup configuration and in the running configuration if a running configuration setting differs from a startup configuration setting. This example shows how to check the BOOT and BOOTLDR variables on the switch:

Switch# show bootvar

BOOTLDR variable = bootflash:cat4000-is-mz,1;

Configuration register is 0x0

Switch#