The Cisco Command Line Interface (CLI) is a text-based interface used for configuring and managing Cisco network devices, including switches. The CLI provides a command-driven environment where network administrators can enter commands to perform various configuration, monitoring, and troubleshooting tasks on Cisco switches.
Setting the Administrative Functions
The administrative functions help you better manage/administer your network and makes troubleshooting much easier. These functions include:
- Hostnames
- Passwords
- Interface descriptions
Now that you have launched the CLI, type in the enable command to enter privileged EXEC mode. Set a Hostname, EXEC mode password, Console password, TELNET (VTY) password, and interface descriptions for the switch as shown in the table below.
| Description | Command |
|---|---|
| Enter privileged EXEC mode | Switch>enable |
| Enter global configuration mode | Switch#config t |
| Set a hostname | Switch(config)#hostname Core-Switch |
| Core-Switch(config)# | |
| EXEC mode Password | |
| Set EXEC mode Password | Core-Switch(config)#enable secret EXEC_P@55w0rd |
| Core-Switch(config)# | |
| Console Password | |
| Enter line configuration mode | |
| Set console Password | Core-Switch(config-line)# password CONSOLE_P@55w0rd |
| Return to the previous exec mode | Core-Switch(config-line)# exit |
| Core-Switch(config)# | |
| Telnet (VTY) Password | |
| Enter line configuration mode | Core-Switch(config)# line vty 0 15 |
| Set TELNET Password | Core-Switch(config-line)# password TELNET_P@55w0rd |
| Core-Switch(config-line)# login | |
| Return to the previous exec mode | Core-Switch(config-line)# exit |
| Core-Switch(config)# | |
| Interface Descriptions | |
| Enter interface configuration mode | Core-Switch(config)#int fa0/1 |
| Set interface description for int. f0/1 | Core-Switch(config-if)#description 1st Connection to Core Switch |
| Core-Switch(config-if)#int fa0/2 | |
| Set interface description for int. f0/2 | Core-Switch(config-if)#description 2nd Connection to Core Switch |
Configuring the IP Address and Subnet Mask
Since all ports on a switch are enabled by default, there is usually no IP address configured on its interfaces. IP addresses aren’t needed on a switch. The only reason we would set an IP address, mask, and default gateway is for management purposes. The IP address is configured under a logical interface, called a management domain or VLAN. You would typically use the default VLAN 1 to manage a switch, as shown in the example below.
| Description | Command |
|---|---|
| Enter line configuration mode | Core-Switch(config)#line vty 0 15 |
| Enter TELNET password | Core-Switch(config-line)#password TELNET_P@55w0rd |
| Core-Switch(config-line)#login | |
| Enter vlan interface configuration mode | Core-Switch(config-line)#int vlan 1 |
| Configure an IP address for the interface | Core-Switch(config-if)#ip address 192.168.10.2 255.255.255.0 |
| Enable the interface | Core-Switch(config-if)#no shut |
| Return to the previous exec. mode | Core-Switch(config-if)#exit |
| The set message of the day (motd) | Core-Switch(config)#banner motd # This is the Core-Switch # |
| Return to the previous EXEC mode | Core-Switch(config)#exit |
Setting the IP Default Gateway
If you want to manage your switches from outside your LAN, you need to set a default gateway on the switches, just as you would with a host. The default gateway is essentially the address of the router that the switch will be communicating with. If you don’t configure a default gateway, then VLAN1 will be unable to send traffic to another network. You do this from a global config.
| Description | Command |
|---|---|
| Enter global configuration mode | Core-Switch#config t |
| Configure default-gateway | Core-Switch(config)#ip default-gateway 192.168.10.1 |
| Return to the previous exec mode | Core-Switch(config)#exit |
| Core-Switch# | |
Setting Port Security
To prevent unauthorized access to your LAN, it is usually advisable to identify and limit the MAC addresses of the workstations that are allowed to access the switch port. Port security is the tool that helps us achieve this.
If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached. When the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
We have two options for associating MAC addresses with interfaces: static and dynamic. In the static method, we have to manually define the exact MAC address of the host. In the dynamic method, we use the sticky feature (see table below) that allows interfaces to learn MAC addresses automatically until it reaches the maximum number of allowed hosts.
| Description | Command |
|---|---|
| Enter privileged EXEC mode | Core-Switch#enable |
| Enter global configuration mode | Core-Switch#config t |
| Enter interface configuration mode | Core-Switch(config)#int range fa0/2-3 |
| Configure port security | Core-Switch(config-if-range)#switchport port-security maximum 1 |
| Configure interface to auto-learn MAC address | Core-Switch(config-if-range)#switchport port-security mac-address sticky |
The above commands set port security on ports fa0/2 and fa0/3 to allow a maximum association of one MAC address, and only the first MAC address associated with the port will be able to send frames through the switch. Use the sticky command if you don’t want to manually type in all the MAC addresses of each device. A security violation occurs if a workstation whose MAC address is unrecognized attempts to access the interface. We need to specify what action should be taken for security violations. Three possible modes are available:
- Protect Frames from non-allowed addresses would be dropped, and no log entry for dropped frames. This mode will only work with sticky options.
- Restrict Frames from non-allowed addresses would be dropped, and a log entry and security violation alert will be generated.
- Shutdown The switch will generate the violation alert and disable the port. The only way to re-enable the port is to manually enter the no shutdown command. This is the default violation mode. Here’s the command:
| Decription | Command |
|---|---|
| Disable the port in violation of the policy | Core-Switch(config-if-range)#switchport port-security violation shutdown |
| Return to the previous exec. mode | Core-Switch(config-if-range)#exit |
Saving Configuration Changes
Whenever you make changes to your switch configuration file, you must save the changes to memory, so they don’t get lost after reboot. There are two types of configuration files: the running (current operating) configuration and the startup configuration. The running configuration is stored in RAM (a volatile memory that loses its content after a restart or shutdown); the startup configuration is stored in NVRAM (a non-volatile memory that retains its content even after a restart or shutdown), thus avoiding reconfiguration every time it is powered off.
| Description | Command |
|---|---|
| Enter privileged EXEC mode | Core-Switch > enable |
| Save configuration to NVRAM | Core-Switch # copy running-config startup-config |
Configuring VLANs
Virtual Local Area Network (VLAN), as the name implies, is a virtual segmentation of a switched network to provide for security, flexibility, and effective network administration. So by assigning switch ports or users to VLAN groups on a switch or group of connected switches. You gain the flexibility to add only the users or departments you want into that broadcast domain, without worrying about the physical location of the hosts.
You can create VLANs from 2 to 4094 depending on the model of your switch. VLAN 1 is the default VLAN. You can manually or dynamically (via the Dynamic Trunking Protocol) configure a port as an access or trunk port. A switch port can belong to only one VLAN if it is an access port (carries the traffic of only one VLAN) or all VLANs if it is a trunk port (carries the traffic of multiple VLANs). To configure VLANs on a Cisco Catalyst switch, use the global config vlan command as shown below:
| Description | Command |
|---|---|
| Enter global configuration mode | Core-Switch#config t |
| Create VLAN 2 | Core-Switch(config)#vlan 2 |
| Allocate VLAN 2 to the Finance dept. | Core-Switch (config-vlan)#name Finance |
| Create VLAN 3 | Core-Switch(config-vlan)#vlan 3 |
| Allocate VLAN 3 to the Audit dept. | Core-Switch(config-vlan)#name Audit |
| Return to the previous exec. mode | Core-Switch(config-vlan)#^Z |
| Core-Switch# | |
Assigning Switch Ports to VLANs
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries, plus the number of VLANs to which it can belong. You can configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command as shown below.
| Description | Command |
|---|---|
| Enter global configuration mode | Core-Switch#config t |
| Enter interface configuration mode | Core-Switch(config)#int fa0/3 |
| configure access port | Core-Switch(config-if)#switchport mode access |
| Core-Switch(config-if)#switchport access vlan 3 | |
To configure trunking and encapsulation on a Fast Ethernet port fa0/5, use the following command:
| Description | Commad |
|---|---|
| Enter global configuration mode | Core-Switch#config t |
| Enter interface configuration mode | Core-Switch(config)#int fa0/5 |
| Configure encapsulation | Core-Switch(config-if)#switchport trunk encapsulation dot1q |
| Configure trunking | Core-Switch(config-if)#switchport mode trunk |
The switchport mode command can be configured using four different options:
- Switchport mode trunk The interface is configured into perpetual trunking mode and negotiates to convert the neighboring link into a trunk link.
- Switchport mode access Disables port trunk mode; puts the interface (access port) into permanent non-trunking mode. No trunking negotiation takes place.
- Switchport mode is dynamically desirable This is the default mode for all Ethernet interfaces. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
- Switchport mode dynamic auto Makes the interface become a trunk only if the connected port is set to trunk or desirable.
- Switchport no-negotiate Prevents the interface from producing Dynamic Trunking Protocol frames
Configure Access Control List
To configure the access control list and associated parameters, use the following command:
| Description | Command |
|---|---|
| Enter the access list number, permissions, and other parameters | Core-Switch(config)#access-list [acl-number] [permit|deny] [source] [destination] [protocol] |
| Configure interface name | Core-Switch(config-if)#interface [interface-name] |
| Configure ip access group | Core-Switch(config-if)#ip access-group [acl-number] [in|out] |
Verifying Your Configuration
Now that you are done configuring your switch, you need to test and verify your configuration. The following are some useful commands:
| Description | Command |
|---|---|
| Show the current running configuration | Core-Switch# show run |
| Show the configuration of all interfaces and the status of each one | Core-Switch#show interfaces |
| Show all vlan numbers, names, and ports associated with each vlan | Core-Switch# show vlan |
| Show the status of interfaces, speed, duplex | Core-Switch#show interface status |
| Show the current MAC address table and the learned MAC address on each interface | Core-Switch# show mac |
| Show spanning tree | Core-Switch#(config)#do show spanning-tree |
The above cheat sheet provides a basic summary of the Cisco CLI switch commands. Remember to replace the specific parameters used and/or placeholders such as [interface-name], [mode], [number], [acl-number], [source], [destination], and [protocol] with the appropriate values for your configuration. Please note that the specific command syntax and available options may vary depending on the switch model and firmware version. Refer to the Cisco documentation and command references for detailed information on specific commands and their usage.
