Cisco | Cisco 2960 Switch Configuration (PID: WS-C2960-24TC-L)

 Cisco 2960 Switch Configuration (PID: WS-C2960-24TC-L):

Changing Switch Hostname:

Switch(config)#hostname DST-SW

Configuring Passwords:

DST-SW(config)#enable secret sysadmin

DST-SW(config)#enable secret sysadmin

Securing Console Port:

DST-SW(config)#line con 0 

DST-SW(config-line)#password sysadmin

DST-SW(config-line)#login 

Securing Terminal Lines:

DST-SW(config)#line vty 0 4 

DST-SW(config-line)#password sysadmin

DST-SW(config-line)#login

Encrypting Passwords:

DST-SW(config)#service password-encryption

Configuring Banners:

DST-SW(config)#banner motd 

$ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- UNAUTHORIZED ACCESS IS PROHIBITED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $

Giving the Switch an IP Address:

DST-SW(config)#interface vlan 1 

DST-SW(config-if)#ip address 192.168.101.2 255.255.255.0 

DST-SW(config-if)#shutdown 

Setting the Default Gateway:

DST-SW(config)#ip default-gateway 192.168.101.1

Saving Configuration:

DST-SW#copy running-config startup-config

Destination filename [startup-config]? 

Building configuration… [OK]

Or

DST-SW#wr 

Building configuration… [OK] 

Working Environment (name lookup, history, exec-timeout and logging behavior):

DST-SW(config)#no ip domain-lookup 

DST-SW(config)#line vty 0 4 

DST-SW(config-line)#history size 15 

DST-SW(config-line)# exec-timeout 10 30 

DST-SW(config-line)#logging synchronous

 

Configuring Switch to use SSH:

• Configure DNS domain name: 

DST-SW(config)#ip domain-name example.com 

• Configure a username and password: 

DST-SW(config)#username admin secrat cisco 

• Generate encryption keys: 

DST-SW(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 

• Define SSH version to use: 

DST-SW(config)#ip ssh version 2 

• Enable vty lines to use SSH: 

DST-SW(config)#line vty 0 4 

DST-SW(config-line)#login local 

DST-SW(config-line)#transport input telnet ssh 

Description, Speed, and Duplex:

DST-SW(config)#interface fastEthernet 0/1 

DST-SW(config-if)#description ***To-Core RTR***

DST-SW(config-if)#speed 100 (options: 10, 100, auto) 

DST-SW(config)#interface range fastEthernet 0/5 – 10 

DST-SW(config-if-range)#duplex full (options: half, full, auto)

Verify Basic Configuration:

• Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc.

DST-SW#show version 

• Shows the current configuration file stored in DRAM. 

DST-SW#show running-config 

• Shows the configuration file stored in NVRAM which is used at first boot process. 

DST-SW#show startup-config 

• Lists the commands currently held in the history buffer. 

DST-SW#show history 

• Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned. 

DST-SW#show ip interface brief 

• Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic. 

DST-SW#show interface vlan 1 

• Shows the description of all interfaces 

DST-SW#show interfaces description 

• Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan. 

DST-SW#show interfaces status 

• Shows the public encryption key used for SSH. 

DST-SW#show crypto key mypubkey rsa 

• Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server)

DST-SW#show dhcp lease 

 

Configuring Port Security:

• Make the switch interface an access port

DST-SW(config-if)#switchport mode access 

• Enable port security on the interface: 

DST-SW(config-if)#switchport port-security 

• Specify the maximum number of allowed MAC addresses: 

DST-SW(config-if)#switchport port-security maximum 1 

• Define the action to take when violation occurs: 

DST-SW(config-if)#switchport port-security violation shutdown (options: shutdown, protect, restrict) 

• Specify the allowed MAC addresses: 

DST-SW(config-if)#switchport port-security mac-address 68b5.9965.1195 (options: H.H.H, sticky)

Verify and Troubleshoot Port Security: 

• Shows the entries of the mac address table 

DST-SW#show mac-address-table 

• An overview of port security of all interfaces 

DST-SW#show port-security 

• Shows detailed information about port security on the specified interface 

DST-SW#show port-security interface fa0/5 

Configuring VLANs: 

• Create a new VLAN and give it a name: 

DST-SW(config)#vlan 10 

DST-SW(config-vlan)#name ***To-IT-Users***

 • Assign an access interface to access a specific VLAN: 

DST-SW(config)#interface fastEthernet 0/5 

DST-SW(config-if)#switchport mode access 

DST-SW(config-if)#switchport access vlan 10 

Configuring an auxiliary VLAN for cisco IP phones: 

DST-SW(config)#interface fastEthernet 0/5 

DST-SW(config-if)#switchport access vlan 10 

DST-SW(config-if)#switchport voice vlan 12 

Configuring Trunks:

DST-SW(config)#interface fastEthernet 0/1 

DST-SW(config-if)#switchport mode trunk (options: access, trunk, dynamic auto, dynamic desirable) DST-SW(config-if)#switchport trunk allowed

Securing VLANS and Trunking:

• Administratively disable unused interfaces: 

DST-SW(config-if)#shutdown 

• Prevent trunking by disabling auto negotiation on the interface: 

DST-SW(config-if)#nonegotiate (or hardcode the port as an access port) 

DST-SW(config-if)#switchport mode access 

• Assign the port to an unused VLAN: 

DST-SW(config-if)#switchport access vlan 222 

STP optimization:

• Hard coding the root bridge (changing bridge priority): 

DST-SW(config)#spanning-tree vlan 1 root primary 

DST-SW(config)#spanning-tree vlan 1 root secondary 

DST-SW(config)#spanning-tree [vlan 1] priority 8192 

• Changing the STP mode: 

DST-SW(config)#spanning-tree mode rapid-pvst (options: mst, pvst, rapid-pvst) 

• Enabling portfast and BPDU guard on an interface: 

DST-SW(config-if)#spanning-tree portfast 

DST-SW(config-if)#spanning-tree bpduguard enable 

• Changing port cost: 

DST-SW(config-if)#spanning-tree [vlan 1] cost 25 

• Bundling interfaces into an etherchannel: 

DST-SW(config-if)#channel-group 1 mode on (options: auto, desirable, on)

STP Verification and Troubleshooting:

• Shows detailed info about STP state 

DST-SW#show spanning-tree 

• Shows STP info only on a specific port 

DST-SW#show spanning-tree interface fa0/2 

• Shows STP info only for a specific VLAN 

DST-SW#show spanning-tree vlan 1 

• Shows info about the root switch 

DST-SW#show spanning-tree [vlan1] root 

• Shows info about the local switch 

DST-SW#show spanning-tree [vlan1] bridge 

• Show the state of the etherchannels 

DST-SW#show etherchannel 1 

• Provides informational messages about the changes in the STP topology 

DST-SW#debug spanning-tree events 

Enabling or disabling CDP: 

• Enabling CDP globally on a switch: 

DST-SW(config)#cdp run 

• Disabling CDP on a given interface: 

DST-SW(config-if)#no cdp enable  

Using CDP for Network Verification and Troubleshooting:

• Shows global information about CDP itself 

DST-SWSW1#show cdp 

• Shows information about CDP on a specific interface 

DST-SW#show cdp interface fa0/2 

• Shows information about the directly connected cisco devices including interfaces names capabilities 

DST-SW#show cdp neighbors 

• Shows detailed information about the neighboring cisco devices including device address and version of IOS they run 

DST-SW#show cdp neighbors detail 

• Same as show cdp neighbor detail 

DST-SW#show cdp entry * 

• Shows detailed information about the specified entry only 

DST-SW#show cdp entry DST-SW2 

Cisco | Configure Cisco (ISR C1121X-8P) Router

 When I had to configure a Cisco (ISR C1121X-8P) router, I noticed it only had a Micro USB console port. I was able to connect using a standard cable, and this generated a COM8 port in Device Manager. I then successfully established a connection to that port using PuTTY at a speed of 9600.

enable

show running-config

configure terminal

 

hostname lifeisrouting.com

enable secret PASSWORD

 

ip domain-name lifeisrouting.local

crypto key generate rsa modulus 2048

username admin secret PASSWORD

ip ssh version 2

line vty 0 4

login local

transport input ssh

 
Configured the WAN port:

interface GigabitEthernet0/0/0

description WAN

ip address dhcp

ip nat outside

no shutdown

 
Configured DHCP and NAT:

ip dhcp excluded-address 192.168.100.1 192.168.100.10

ip dhcp pool LAN-POOL

network 192.168.100.0 255.255.255.0

default-router 192.168.100.1

dns-server 1.1.1.1 8.8.4.4

 

access-list 1 permit 192.168.100.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

The second interface was configured as a backup WAN. The switchport command is not applicable to this interface, meaning it cannot be logically combined with the other eight LAN ports. Therefore, it must be treated as a separate routed interface, which allows you to configure a distinct IP address (or a separate DHCP client) on it.

interface GigabitEthernet0/0/1

description WAN2

ip address dhcp

ip nat outside

no shutdown

 

Created interface vlan 1:

 

interface vlan 1

ip address 192.168.100.1 255.255.255.0

ip nat inside

Setting up eight LAN ports (default ports are in vlan 1, it is enough to specify mode access):

interface GigabitEthernet0/1/0

switchport mode access

switchport access vlan 1

no shutdown

 

 interface range GigabitEthernet0/1/0 - 0/1/7

switchport mode access

switchport access vlan 1

no shutdown

exit

Saving configuration:

write memory

copy running-config startup-config

Viewing various information:

show interfaces GigabitEthernet0/0/1 switchport

show ip interface brief

show ip route

show version

show ip interface brief

show running-config

Enabling an http server where you can view various statistics:

ip http server

ip http authentication local

FortiGate | Installing FortiOS on FortiGate Appliance

Installing FortiOS on FortiGate hardware is typically done using the TFTP (Trivial File Transfer Protocol) method via a console cable for a clean installation.

Prerequisites:

1. Firmware Image (.out file): Download the specific FortiOS firmware file for your FortiGate model from the support site. Ensure you check the upgrade path if you are moving between major versions.

2. TFTP Server Software: Install a temporary TFTP server application (e.g., tftpd) on your management computer.

3. Console Cable: An RJ-45 to USB or DB-9 serial cable to connect your computer to the FortiGate's console port.

4. Fortinet Support Account: Access to the Fortinet Customer Service & Support website is required to download firmware images.

5 Terminal Emulation Program: Software like PuTTY or Tera Term for console access, configured with settings: Baud Rate 9600, 8 data bits, no parity, 1 stop bit, and no flow control.

6. Network Setup: The management computer running the TFTP server must be on the same local subnet as the FortiGate interface used for the transfer (e.g., port1 or a dedicated MGMT port).

TFTP Method:

This procedure will reset the FortiGate to factory default settings. 

1. Connect via Console: Connect the console cable between your management computer and the FortiGate's console port. Open your terminal emulation program.

2. Place Firmware: Copy the downloaded FortiOS firmware .out file to the root directory of your TFTP server software (e.g TFTP-Root on C:\ drive or another folder).

3. Configure IP Addresses: Ensure the FortiGate interface (e.g., port1) and your TFTP server's IP address are on the same subnet (e.g., FortiGate: 192.168.1.1, TFTP Server: 192.168.1.2).

4. Reboot the FortiGate: In the CLI session, execute the command execute reboot. Type y to confirm or hard reboot the FortiGate firewall.

5. Interrupt Boot Process: As the FortiGate reboots, a series of system startup messages will appear. When you see the message Press any key to display configuration menu.........., immediately press any key to enter the boot menu (you have only 3 seconds).

6. Configure Network & Transfer: Choose 'G' (Get firmware image from TFTP server) and enter the IP address of the FortiGate, subnet mask, TFTP server IP, and the firmware file name.

7. Installation: The device will download, flash, and format the boot device, finally rebooting with the new firmware. 

Important Notes:

1. A clean install via TFTP usually resets the configuration to factory defaults, so ensure you have a backup.

2. Ensure that the PC acting as the TFTP server is in the same subnet as the FortiGate.

3. Some models may require a format boot device step ('F') before fetching the new image to ensure a completely clean install.