Chapter 3. A crash course on Cisco’s Internetwork Operating System
If you’re used to using a graphical user interface (GUI) for system administration, administering a Cisco network will take some getting used to. Although Cisco has made a modest effort at point-and-click configuration utilities, the command-line interface (CLI) has always been available. It’s powerful, efficient, and mostly unambiguous. When you type configuration commands into a switch or router, you’re generally going to have a pretty good idea about what that command will do. Unlike a GUI, which hides a lot of things behind colorful buttons and user-friendly messages, the CLI is black and white.
If you’re not used to using the command line on other platforms like Windows or Linux, don’t worry. In many ways, the IOS CLI is easier because it provides inline help, which I’ll show you how to access in a moment.
3.1. What is IOS?
The vast majority of Cisco routers and switches run the Cisco Internetwork Operating System (IOS). IOS controls every aspect of a device’s operation, including who can log into it, what traffic is allowed or blocked, whether an interface is enabled or disabled, and so on.
IOS provides a command-line interface to configure Cisco devices. You’ll perform all of the configuration tasks in this book at the IOS command line, so it’s important that you understand how to navigate it. In this chapter, you’ll learn how to access the IOS CLI and how to use it to view, change, and save device configurations.
IOS is powerful—so powerful you can easily bring down an entire network by accidentally typing in the wrong command. The commands you’ll learn in this chapter are fairly innocuous, and you can safely execute all of them in a production environment—with permission, of course. Just be aware that typing in random commands can be catastrophic, so don’t get into the habit of doing it. If you have a lab that you can break, feel free to experiment, but don’t jump around in the book. You still need to go through it chapter by chapter.
IOS-XE is another Cisco operating system that runs regular IOS under the hood. IOS and IOS-XE use different software architectures, but the commands are almost identical. All of the commands used in this book should work fine on IOS-XE.
3.2. Logging into Cisco devices
Whether you’re connecting to a Cisco router or switch, the process is mostly the same. First, you need to have a terminal client that supports both Telnet and Secure Shell (SSH). For Windows, I recommend PuTTY, which you can download from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. If you’re a Mac OS X or Linux aficionado, you can use the telnet or ssh commands from your terminal. I use Windows and PuTTY for the examples in this book, but just know that once you’re connected to a Cisco device, your operating system and terminal client make little difference. The configuration commands you’ll use to configure the devices are exactly the same.
Open your terminal client of choice and connect to one of the switches in your environment. I’m going to connect to my lab switch by typing its management IP address in the Host Name (or IP address) field, selecting Telnet, and clicking Open, as shown in figure 3.1. If you can’t connect via Telnet, try SSH instead. PuTTY’s interface hasn’t changed much over the years, but if it ever does, the basic settings should still be the same.
Figure 3.1. The PuTTY configuration window. In the Host Name (or IP address) field, type the IP address of the device you want to connect to. Select Telnet or SSH, and then click Open.
When prompted, enter the username and password of a privileged user. You should see the switch hostname followed by either a hash (#) or a greater-than sign (>):
If you don’t see the hash sign, type enable and press Enter. You may be prompted for another password called the enable password. If you log in successfully, you should see a prompt with a hash (#) sign. Cisco calls this privileged EXEC mode, but many people call it enable mode. Enable mode is like root or administrator mode in the sense that it lets you view more detailed information on the switch and make configuration changes.
Go ahead and log into one of your layer-3 switches. Make sure that you can get to enable mode. If you can’t, don’t continue past this chapter. You must be able to get into enable mode on all devices, or else you can’t administer your network. The biggest obstacle to getting into enable mode is not having the correct enable password. Make sure you type it correctly!
Keep in mind that depending on the switch’s individual setting, you may get kicked out after a period of inactivity. This is a security setting and doesn’t indicate anything wrong with your setup. If this happens, just log back in and go back to where you left off.
3.3. The show command
The show command is the one command you’re going to use more than any other. It can show you almost any information about the device you’re logged into. Type show ? at the prompt. The inline help should fill your screen with an intimidating list of commands that can tell you about different aspects of the device. This list is multiple screens long, and each screen is followed by a --More-- prompt. Press the spacebar to scroll to the next screen. And the next. And the next. Keep pressing the spacebar until the switch drops you back to the prompt. Alternatively, you can press any key (other than Enter or the spacebar) to exit the inline help and get back to the prompt:
Switch1#show ? aaa Show AAA values access-expression List access expression access-lists List access lists adjacency Adjacent nodes aliases Display alias commands ... vtp VTP information wsma Show Web Services Management Agents information xdr Show details about XDR xos Cross-OS Library Information and Traces xsd-format Show the ODM XSD for the command Switch1#show
Notice that there are two columns. The left column contains the actual commands, whereas the right column has a brief description of what kind of information the command provides.
Most show commands require one or more subcommands. For example, if you type show ip and press Enter, you’ll get an error:
Switch1#show ip % Incomplete command. Switch1#
This indicates that a subcommand is required to view IP-related information. Considering the large number of show commands, it’s unreasonable to expect you to remember all or even most of them. Fortunately, you don’t have to. If you type show ip ?, another not-as-long list of subcommands should pop up. Notice that this list is different from the last one. It’s shorter and it contains only IP-related subcommands:
Switch1#show ip ? access-lists List IP access lists accounting The active IP accounting database admission Network Admission Control information aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists auth-proxy Authentication Proxy information bgp BGP information cache IP fast-switching route cache cef Cisco Express Forwarding community-list List community-list device Show IP Tracking Hosts dhcp Show items in the DHCP database eigrp Show IPv4 EIGRP extcommunity-list List extended-community list flow NetFlow switching host IP host information http HTTP information igmp IGMP information interface IP interface status and configuration irdp ICMP Router Discovery Protocol local IP local options --More--
If you thought the first list of show commands was bad, the total number of possible show commands is much, much worse. Fortunately, there are only a handful of commands you actually need to remember. Let’s look at one of them.
On the first list of show ip subcommands, about halfway down the page, you should see interface followed by IP interface status and configuration.
Type interface ? so that the full command reads show ip interface ?. Now you get a much shorter list consisting mostly of interface types such as FastEthernet and GigabitEthernet, followed by an option for brief:
Switch1#show ip interface ? Async Async interface Auto-Template Auto-Template interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Filter Filter interface Filtergroup Filter Group interface GigabitEthernet GigabitEthernet IEEE 802.3z GroupVI Group Virtual interface Lex Lex interface Loopback Loopback interface Null Null interface Port-channel Ethernet Channel of interfaces Portgroup Portgroup interface Pos-channel POS Channel of interfaces Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing Vlan Catalyst Vlans brief Brief summary of IP status and configuration --More—
Type brief ? and you should get a list almost identical to the last one:
Look toward the bottom at the very last line that says <cr>. This means “carriage return,” which is a fancy term for the Enter key. The <cr> indicates that you can press Enter without adding any additional subcommands. This is a good clue that the show command you’ve entered is probably going to work without any errors. If you don’t see a <cr> at the bottom of the list, it means you have to specify more subcommands before pressing Enter. Go ahead and press Enter on the show ip interface brief command.
You should see a list of all the interfaces on the switch along with any assigned IPs. Your Vlan1 interface has an assigned IP address of 192.168.1.101. That should look familiar. It’s the IP address you’re connected to!
Run show ip interface brief. Locate the interface and IP address that you used to connect to the switch.
3.3.1. Filtering output
The show commands can produce a lot of output, and if you’re looking for just one or two lines in a screen full of data, it can become pretty time-consuming. The include and exclude commands are two parsing commands that let you filter show command output to display only the lines you want to see.
Including lines
Type another show ip interface brief ?. On the second-to-last line you should see a pipe character (|) listed as the output modifier. The pipe character is commonly used in scripts and batch files to pipe or redirect output from one command to another. In IOS, the pipe command has a similar function—to pipe the output to one of IOS’s built-in parsing functions:
Go ahead and press Enter on the show ip interface brief command:
Switch1#show ip interface brief Interface IP-Address OK? Method Status Protocol Vlan1 192.168.1.101 YES NVRAM up up FastEthernet0/1 unassigned YES unset up up FastEthernet0/2 unassigned YES unset down down FastEthernet0/3 unassigned YES unset down down FastEthernet0/4 unassigned YES unset down down FastEthernet0/5 unassigned YES unset down down FastEthernet0/6 unassigned YES unset down down FastEthernet0/7 unassigned YES unset down down FastEthernet0/8 unassigned YES unset down down FastEthernet0/9 unassigned YES unset down down FastEthernet0/10 unassigned YES unset down down FastEthernet0/11 unassigned YES unset down down FastEthernet0/12 unassigned YES unset down down FastEthernet0/13 unassigned YES unset down down FastEthernet0/14 unassigned YES unset down down FastEthernet0/15 unassigned YES unset down down FastEthernet0/16 unassigned YES unset down down FastEthernet0/17 unassigned YES unset down down FastEthernet0/18 unassigned YES unset down down FastEthernet0/19 unassigned YES unset down down FastEthernet0/20 unassigned YES unset down down FastEthernet0/21 unassigned YES unset down down FastEthernet0/22 unassigned YES unset down down FastEthernet0/23 unassigned YES unset down down FastEthernet0/24 unassigned YES unset down down GigabitEthernet0/1 unassigned YES unset down down GigabitEthernet0/2 unassigned YES unset down down
You should see a lot of FastEthernet interfaces and a couple of GigabitEthernet interfaces, but you’re not interested in those. You just want to see the Vlan1 interface. If you don’t want to scan through 28 lines of output, you can include only the lines with the search term Vlan in them using the command show ip interface brief | include Vlan:
Switch1#show ip interface brief | include Vlan Vlan1 192.168.1.101 YES NVRAM up up Switch1#
Notice that instead of 28 lines, you get one containing the exact information you want.
Note
The command includes the word Vlan with a capital V. When it comes to filtering, IOS is case-sensitive. The command show ip interface brief | include vlan won’t show anything because vlan with a lowercase v doesn’t appear anywhere in the output.
Excluding lines
Suppose that you want to see IP information on all of your interfaces except the FastEthernet ones. For this you can use the exclude keyword to leave out any lines that contain the search term Fast.
Type show ip interface brief | exclude Fast and press Enter. Now you get only four lines of output showing you all interfaces except the FastEthernet ones:
Switch1#show ip interface brief | exclude Fast Interface IP-Address OK? Method Status Protocol Vlan1 192.168.1.101 YES NVRAM up up GigabitEthernet0/1 unassigned YES unset down down GigabitEthernet0/2 unassigned YES unset down down Switch1#
IOS supports using regular expressions (regexes) in search terms. Regexes provide a way to specify complex search strings. If you want to specify multiple search terms simultaneously, you can include a pipe character between them. For example, if you want to view all lines with “Fast” or “Giga,” you could type show ip interface brief | include Fast|Gig.
Practice filtering output using the following show ip commands. These commands are safe and will not interfere with any switch functionality:
show ip interface | include up|Internet show ip interface brief | exclude down
Also, try to find the command that would show you detailed information on all interfaces, but filter the output to include only lines with the term “address.”
3.4. Identifying the IOS version and package
Although network folks colloquially refer to Cisco IOS as a single operating system, there are actually many different IOS images. You don’t need to know all the differences between them, but you do need to be able to determine which image your switch or router is running so you can determine which features and functionality are available.
Cisco IOS images vary by platform, version, and package. You can view this information in one fell swoop with the show version | include IOS command:
Switch1#show version | include IOS Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE5, RELEASE SOFTWARE (fc1) Switch1#
The platform C3560 describes the hardware this IOS image is designed for. In my case, it’s for a Catalyst 3560 switch. The platform isn’t going to come as much of a surprise to you because you already know whether you’re connected to a router or a switch. Let’s look at the more interesting parts of this output: the version and package.
3.4.1. Version numbers
My switch is running version 15.0(2)SE5. The 15 is the major release, .0 is the minor release, and (2) is the feature release. You don’t need to know the differences between these, but if you ever deal with Cisco technical support and the tech asks, “What feature release are you on?” it’s helpful to know.
SE indicates the platform/family identifier, and 5 is the maintenance rebuild number. The SE indicates that the IOS version is for Cisco Catalyst switches. This might seem redundant because the C3560 is a dead giveaway.
Releases 12 and 15 are the most common major releases as of this writing. Cisco skipped 13 and 14 because they consider those numbers unlucky. As far as minor releases go, it’s not unusual to see something as early as 12.1. I recently logged into a switch running 12.1 that had been up continuously for almost seven years!
You’re not likely to see anything earlier than 12.0, although it’s possible. Anything prior to that is ancient by technological standards. If you’re working in an environment that’s running anything earlier than 12.0, I suggest getting out of there!
Upgrading IOS is beyond the scope of this book because it’s not an everyday administrative task. If you ever find the need to upgrade, you’re better off letting a qualified network consultant take care of it. Upgrading the IOS image on production equipment can be a harrowing experience even for Cisco-certified professionals.
3.4.2. Packages
Packages are also known as feature sets because they determine what specific features are available. There are three common packages you may run into:
- IP Base (IPBASE)
- Advanced IP Services (IPSERVICES)
- Advanced Enterprise Services (ADVENTERPRISE)
Let’s take another look at the package I’m running:
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE5, RELEASE SOFTWARE (fc1)
Although it’s buried a little, the C3560-IPSERVICESK9-M in parentheses indicates I’m running the Advanced IP Services package. Advanced IP Services contains more functionality than IP Base, and Advanced Enterprise Services contains all possible features.
Type show version to view the IOS version on each of your switches. Verify that you have at least the Advanced IP Services feature set. You don’t need IOS version 15, but the higher the version, the better.
3.5. Viewing the running configuration
During normal operation, Cisco devices store most configuration settings in random access memory (RAM). This is called the running configuration. The running configuration is what IOS looks at in real time. Hence, any changes you make to the running configuration take effect almost immediately. For example, if you change the management IP address of a switch, that change gets stored in the running configuration and becomes effective immediately.
The running configuration is a long string of text—essentially a text file—split up into various sections that control different aspects of the device. As you get to know your network and begin to make changes to it in the coming chapters, you need to know how to locate and view each of these sections. To view the entire running configuration, type show running-config:
Switch1#show running-config Building configuration... Current configuration : 3069 bytes ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch1 ! boot-start-marker boot-end-marker ! ! ! username admin privilege 15 secret 5 $1$r/gI$sNjAw2i0L1Syobws.5tzT1 no aaa new-model system mtu routing 1500 vtp domain cisco vtp mode transparent ! ! --More--
Note
You can abbreviate IOS commands to avoid typing out the entire thing. For example, you can type sh run instead of show running-config and it will do the same thing. The inline help doesn’t give you a list of abbreviations, but as long as what you type isn’t ambiguous, IOS will figure out what you mean.
Your configuration may be verbose or just a few screens long. Keep pressing the spacebar until you get to the part that lists the interfaces:
! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.101 255.255.255.0 ! ip http server ip http secure-server ! ! ! --More--
Near the end of your switch’s configuration, you should have a section called interface Vlan1. Notice that the next line containing the IP address is indented by one space, indicating it’s part of this section. You can view only this section using the command show run | section Vlan1:
Switch1#show run | section Vlan1 interface Vlan1 ip address 192.168.1.101 255.255.255.0 Switch1#
The section keyword is another filter you can use to select specific sections of the running configuration for viewing. You can also use the include and exclude keywords if you like.
View the running configuration of your switch. Pick a section of the configuration and use an output filter to view only that section.
3.6. Changing the running configuration
You can change the running configuration on the fly. There’s no need to reboot or otherwise commit your changes. In many cases, as soon as you type a command, it takes effect.
You’ll be configuring your Cisco devices from the command line, what Cisco calls the terminal. To make configuration changes, you need to enter a special mode called global configuration mode. Get into global configuration mode by typing configure terminal:
Switch1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#
The prompt changes to Switch1(config)#, indicating that you’re in global configuration mode. The inline help works here too. If you type a question mark (?), you get a long list of commands, similar to those show commands earlier:
Just to demonstrate how the configuration cadence works, suppose you want to change the login banner, which is a string of text that IOS displays when you log in. But you’re not sure how the banner command works. If you type banner ?, you’ll get a list of banner subcommands:
You’re still not sure what to do, so you type banner login ? and get a little more information:
Switch1(config)#banner login ? LINE c banner-text c, where 'c' is a delimiting character
This is where you have to pay close attention to the inline help. It indicates you need to enter a delimiting character that specifies the end of the message, followed by the message itself, and then the delimiting character again. Type the hash (#) sign and press Enter:
Now that you’ve finished, type exit to get out of global configuration mode. The change you just made is effective immediately. Now log out of the switch by typing exit again. If you’re using PuTTY, your session should close.
Open PuTTY back up and reconnect to the switch. This time, you should see the login banner!
Get into global configuration mode and change the login banner. Log out of the switch and reconnect to it. Do you see the banner?
Although the configuration is stored in running configuration, it’s not permanent. The running configuration is stored in RAM, which gets cleared when the switch gets powered off or rebooted. In order to make your change permanent, you have to save the running configuration to the startup configuration. This is a vitally important step to ensure any configuration changes you made don’t get inadvertently reversed later on.
3.7. Saving the startup configuration
When a Cisco device boots, IOS reads the startup configuration, which is stored in the aptly named startup-config file. This file is stored permanently in non-volatile RAM (NVRAM), which is a special type of memory that persists even when the switch reboots or loses power. You can think of NVRAM as like a hard disk. The data stays there whether the device is on or off. IOS then copies the contents of the startup-config file into RAM, and that becomes the running configuration.
When you make a change to the running configuration—like changing the login banner—you usually want to make it permanent by saving the running configuration to the startup-config file.
The surefire way to do this is with the command copy running-config startup-config. When you type this command and press Enter, IOS prompts you for the filename, which shows up in brackets, indicating you can press Enter to accept the given filename:
Switch1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Switch1#
After about a second, the switch saves the startup-config file. Now when you reboot the switch, the change you made to the login banner will persist.
Save the running configuration on your switch. If you have permission and can do so safely, reboot your switch using the reload command. See if your new login banner is still there.
I like to use a shorter command to save the startup configuration. write memory (which you can abbreviate wr me) does something similar to copy run start, except it doesn’t prompt you for the filename of the destination file. Keep in mind that the abbreviated command doesn’t work on all Cisco devices.
3.8. The no command
Most configuration commands can be negated using the no command. Putting no before a command removes it from the running configuration.
You’ll use the no command to remove the login banner you just created. First, check the running configuration for the exact command:
Switch1#show run | include banner banner login ^C
The configuration looks a bit different than what you typed. You didn’t ever type ^C in global configuration mode, yet there it is. This isn’t a cause for concern because IOS sometimes changes or reorders the commands you type. Also notice that the message Welcome to Switch1! doesn’t show up either. It’s on a separate line in the configuration, so it doesn’t show up in the output. But that’s not a problem because you just need to remove the banner login command.
To do this, go back into global configuration mode and place a no before the command:
Now you need to verify that IOS actually removed the configuration command:
Switch1#show run | include banner Switch1#
You get no output, so you know that IOS did your bidding and removed that command from the running configuration. But the command still exists in the startup configuration:
Switch1#show startup-config | include banner banner login ^C Switch1#
To make the removal permanent, you have to save the running configuration again, overwriting the existing startup-config:
IOS overwrites the existing startup configuration with the running configuration, and you’re finished!
Remove the login banner from your switch’s running configuration. Compare the running configuration with the startup configuration. Do you notice any difference? Save the startup configuration to make the change permanent.
3.9. Commands in this chapter
IOS is context-sensitive, so you can’t just type any command anywhere and expect great things to happen. But there are some commands that you’ll use over and over again, so it’s important that you understand what they do. Table 3.1 lists some common commands and their descriptions.
Table 3.1. Commands used in this chapter
|
Command |
Description |
|---|---|
| show ? | Displays subcommands that show information about the device |
| show version | Displays the device platform, IOS version, and package |
| show running-config | Displays the current running configuration |
| configure terminal | Enters global configuration mode |
| no | In global configuration mode, removes the specified command from the running configuration |
| show startup-config | Displays the startup configuration in NVRAM |
| copy running-config startup-config | Overwrites the startup configuration with the current running configuration |
| reload | Reboots the device |
3.10. Hands-on lab
Practice everything you learned in this chapter. Make sure you can log in to all of the devices in your environment and can view the running configuration. There’s no need to make additional configuration changes yet. What’s important is that you can get into the IOS CLI, navigate it, view the running configuration, and get into global configuration mode.