2 - The Network Operating System
2 - The Network Operating System
Every computer requires an operating system to function, including computer-based network devices such as switches, routers, access
points, and firewalls. These network devices use an operating system called a network operating system.
All end devices and network devices require an operating system (OS). The portion of the OS that interacts directly with computer
hardware is known as the kernel. The portion that interfaces with applications and the user is known as the shell. The user can interact
with the shell using a command-line interface (CLI) or a graphical user interface (GUI).
When using a CLI, the user interacts directly with the system in a text-based environment by entering commands on the keyboard at a
command prompt. The system executes the command, often providing textual output. The CLI requires very little overhead to operate.
However, it does require that the user have knowledge of the underlying structure that controls the system.
A GUI interface such as Windows, OS X, Apple iOS, or Android allows the user to interact with the system using an environment of
graphical icons, menus, and windows. The GUI is more user-friendly and requires less knowledge of the underlying command
structure that controls the system. For this reason, many individuals rely on GUI environments.
However, GUIs may not always be able to provide all of the features available at the CLI. GUIs can also fail, crash, or simply not
operate as specified. For these reasons, network devices are typically accessed through a CLI. The CLI is less resource intensive and
very stable when compared to a GUI.
The network operating system used on Cisco devices is called the Cisco Internetwork Operating System (IOS). Cisco IOS is used for
most Cisco devices regardless of the type or size of the device.
Note: The operating system on home routers is usually called firmware. The most common method for configuring a home router is by
using a web browser-based GUI.
Network operating systems are similar to a PC operating system. Through a GUI, a PC operating system enables a user to: use a
mouse to make selections and run programs, enter text and text-based commands, view output on a monitor.
A CLI-based network operating system like the Cisco IOS on a switch or router enables a network technician to: use a keyboard to run
CLI-based network programs, use a keyboard to enter text and text-based commands, view output on a monitor.
A Cisco IOS switch can be implemented with no configuration and still switch data between connected devices. By connecting two
PCs to a switch, those PCs will instantly have connectivity with one another.
There are several ways to access the CLI environment and configure the device. The most common methods are:
Console – This is a physical management port that provides out-of-band access to a Cisco device. Out-of-band access refers to
access via a dedicated management channel that is used for device maintenance purposes only.
Secure Shell (SSH) – SSH is a method for remotely establishing a secure CLI connection through a virtual interface, over a
network. Unlike a console connection, SSH connections require active networking services on the device including an active
interface configured with an address.
Telnet - Telnet is an insecure method of remotely establishing a CLI session through a virtual interface, over a network. Unlike
SSH, Telnet does not provide a securely encrypted connection. User authentication, passwords, and commands are sent over the
network in plaintext.
Note: Some devices, such as routers, may also support a legacy auxiliary port that was used to establish a CLI session remotely using
a modem. Similar to a console connection, the AUX port is out-of-band and does not require networking services to be configured or
available.
There are a number of terminal emulation programs available for connecting to a networking device either by a serial connection over
a console port or by a SSH/Telnet connection. Some of these include: PuTTY , Tera Term , SecureCRT , OS X Terminal.
As a security feature, the Cisco IOS software separates management access into the following two command modes:
User EXEC Mode - This mode has limited capabilities but is useful for basic operations. It allows only a limited number of
basic monitoring commands but does not allow the execution of any commands that might change the configuration of the
device. The user EXEC mode is identified by the CLI prompt that ends with the > symbol.
Privileged EXEC Mode - To execute configuration commands, a network administrator must access privileged EXEC mode.
Higher configuration modes, like global configuration mode, can only be reached from privileged EXEC mode. The privileged
EXEC mode can be identified by the prompt ending with the # symbol.
To configure the device, the user must enter Global Configuration Mode, which is commonly called global config mode.
From global config mode, CLI configuration changes are made that affect the operation of the device as a whole. Global configuration
mode is identified by a prompt that ends with (config)# after the device name, such as Switch(config)#.
Global configuration mode is accessed before other specific configuration modes. From global config mode, the user can enter
different sub-configuration modes. Each of these modes allows the configuration of a particular part or function of the IOS device.
Two common sub-configuration modes include:
Line Configuration Mode - Used to configure console, SSH, Telnet, or AUX access.
Interface Configuration Mode - Used to configure a switch port or router network interface.
When using the CLI, the mode is identified by the command-line prompt that is unique to that mode. By default, every prompt begins
with the device name. Following the name, the remainder of the prompt indicates the mode. For example, the default prompt for line
configuration mode is Switch(config-line)# and the default prompt for interface configuration mode is Switch(config-if)#.
Various commands are used to move in and out of command prompts. To move from user EXEC mode to privileged EXEC mode, use
the enablecommand. Use the disable privileged EXEC mode command to return to user EXEC mode.
To move in and out of global configuration mode, use the configure terminal privileged EXEC mode command. To return to the
privileged EXEC mode, enter the exit global config mode command.
There are many different sub-configuration modes. For example, to enter line sub-configuration mode, you use the line command
followed by the management line type and number you wish to access. To exit a sub-configuration mode and return to global
configuration mode, use the exit command. Notice the changes in the command prompt.
Switch(config)# line console 0
Switch(config-line)# exit
Switch(config)#
To move from any sub-configuration mode of the global configuration mode to the mode one step above it in the hierarchy of modes,
enter the exit command.
To move from any sub-configuration mode to the privileged EXEC mode, enter the endcommand or enter the key
combination Ctrl+Z.
Switch(config-line)# end
Switch#
You can also move directly from one sub-configuration mode to another. Notice how after the network device name, the command
prompt changes from (config-line)# to (config-if)#.
Switch(config-if)#
A command might require one or more arguments. To determine the keywords and arguments required for a command, refer to the
command syntax. The syntax provides the pattern or format that must be used when entering a command.
As identified in the table in the figure, boldface text indicates commands and keywords that are entered as shown. Italic text indicates
an argument for which the user provides the value.
For instance, the syntax for using the description command is description string. The argument is a string value provided by the user.
The description command is typically used to identify the purpose of an interface. For example, entering the command, description
Connects to the main headquarter office switch, describes where the other device is at the end of the connection.
The following examples demonstrate conventions used to document and use IOS commands.
ping ip-address - The command is pingand the user-defined argument is the ip-address of the destination device. For
example, ping 10.10.10.5.
traceroute ip-address - The command is traceroute and the user-defined argument is the ip-address of the destination device.
For example, traceroute 192.168.254.254.
Context-Sensitive Help
Context-sensitive help enables you to quickly find which commands are available in each command mode, which commands start
with specific characters or group of characters, and which arguments and keywords are available to particular commands. To access
context-sensitive help, simply enter a question mark, ?, at the CLI.
Command syntax check verifies that a valid command was entered by the user. When a command is entered, the command line
interpreter evaluates the command from left to right. If the interpreter understands the command, the requested action is executed, and
the CLI returns to the appropriate prompt. However, if the interpreter cannot understand the command being entered, it will provide
feedback describing what is wrong with the command.
The IOS CLI provides hot keys and shortcuts that make configuring, monitoring, and troubleshooting easier, as shown in the figure.
Commands and keywords can be shortened to the minimum number of characters that identify a unique selection. For example,
the configurecommand can be shortened to conf because configure is the only command that begins with conf. An even shorter
version of con will not work because more than one command begins with con. Keywords can also be shortened.
When configuring a networking device, one of the first steps is configuring a unique device name or hostname. Hostnames that appear
in CLI prompts can be used in various authentication processes between devices, and should be used on topology diagrams.
If the device name is not explicitly configured, a factory assigned default name is used by the Cisco IOS. The default name for a Cisco
IOS switch is "Switch." If all network devices were left with their default names, it would be difficult to identify a specific device. For
instance, when accessing a remote device using SSH, it is important to have confirmation that you are connected to the proper device.
The hostnames used in the device IOS preserve capitalization and lowercase characters. Therefore, it allows you to capitalize a name
as you ordinarily would. This contrasts with most Internet naming schemes, where uppercase and lowercase characters are treated
identically.
Once the naming convention has been identified, the next step is to apply the names to the devices using the CLI.
From the privileged EXEC mode, access the global configuration mode by entering the configure terminal command. Notice the
change in the command prompt.
From global configuration mode, enter the command hostname followed by the name of the switch and press Enter. Notice the
change in the command prompt name.
Note: To remove the configured hostname and return the switch to the default prompt, use the no hostname global config command.
Always make sure the documentation is updated each time a device is added or modified. Identify devices in the documentation by
their location, purpose, and address.
Cisco IOS can be configured to use hierarchical mode passwords to allow different access privileges to a network device.
The most important password to configure is access to the privileged EXEC mode, as shown in Figure 1. To secure privileged EXEC
access, use the enable secret password global config command.
To secure the user EXEC access, the console port must be configured, as shown in Figure 2. Enter line console configuration mode
using the line console 0 global configuration command. The zero is used to represent the first (and in most cases the only) console
interface. Next, specify the user EXEC mode password using the password password command. Finally, enable user EXEC access
using the logincommand. Console access will now require a password before gaining access to the user EXEC mode.
Virtual terminal (VTY) lines enable remote access to the device. To secure VTY lines used for SSH and Telnet, enter line VTY mode
using the line vty 0 15 global config command, as shown in Figure 3. Many Cisco switches support up to 16 VTY lines that are
numbered 0 to 15. Next, specify the VTY password using the password password command. Lastly, enable VTY access using
the login command.
The startup-config and running-config files display most passwords in plaintext. This is a security threat since anyone can see the
passwords used if they have access to these files.
To encrypt passwords, use the service password-encryption global config command. The command applies weak encryption to all
unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the
network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.
To create a banner message of the day on a network device, use the banner motd # the message of the day # global config command.
The “#” in the command syntax is called the delimiting character. It is entered before and after the message. The delimiting character
can be any character as long as it does not occur in the message. For this reason, symbols such as the "#" are often used. After the
command is executed, the banner will be displayed on all subsequent attempts to access the device until the banner is removed.
Because banners can be seen by anyone who attempts to log in, the message must be worded very carefully. The exact content or
wording of a banner depends on the local laws and corporate policies. The banner should state that only authorized personnel are
allowed to access the device. Any wording that implies a login is "welcome" or "invited" is inappropriate. Further, the banner can
include scheduled system shutdowns and other information that affects all network users.
There are two system files that store the device configuration:
startup-config - The file stored in Non-volatile Random Access Memory (NVRAM) that contains all of the commands that will
be used by the device upon startup or reboot. NVRAM does not lose its contents when the device is powered off.
running-config - The file stored in Random Access Memory (RAM) that reflects the current configuration. Modifying a
running configuration affects the operation of a Cisco device immediately. RAM is volatile memory. It loses all of its content
when the device is powered off or restarted.
As shown in the figure, use the show running-config privileged EXEC mode command to view the running configuration file. To
view the startup configuration file, use the show startup-config privileged EXEC command.
If power to the device is lost or if the device is restarted, all configuration changes will be lost unless they have been saved. To save
changes made to the running configuration to the startup configuration file use the copy running-config startup-config privileged
EXEC mode command.
If changes made to the running configuration do not have the desired effect and the running-config file has not yet been saved, you can
restore the device to its previous configuration by removing the changed commands individually or reload the device using
the reload privileged EXEC mode command to restore the startup-config.
The downside to using the reload command to remove an unsaved running configuration is the brief amount of time the device will be
offline, causing network downtime.
When initiating a reload, the IOS will detect that the running config has changes that were not saved to the startup configuration. A
prompt will appear to ask whether to save the changes. To discard the changes, enter n or no.
Alternatively, if undesired changes were saved to the startup configuration, it may be necessary to clear all the configurations. This
requires erasing the startup configuration and restarting the device. The startup configuration is removed by using the erase startup-
configprivileged EXEC mode command. After the command is issued, the switch will prompt you for confirmation. Press Enter to
accept.
After removing the startup configuration from NVRAM, reload the device to remove the current running configuration file from
RAM. On reload, a switch will load the default startup configuration that originally shipped with the device.
Configuration files can also be saved and archived to a text document. This sequence of steps ensures that a working copy of the
configuration file is available for editing or reuse later.
For example, assume that a switch has been configured, and the running configuration has been saved on the device.
Open a terminal emulation software such as PuTTY or Tera Term (Figure 1) connected to a switch.
Enable logging in the terminal software, such as PuTTY or Tera Term, and assign a name and file location to save the log file.
Figure 2 displays that All session outputwill be captured to the file specified (i.e., MySwitchLogs).
Execute the show running-config or show startup-config command at the privileged EXEC prompt. Text displayed in the
terminal window will be placed into the chosen file.
Disable logging in the terminal software. Figure 3 shows how to disable logging by choosing the None session logging option.
The text file created can be used as a record of how the device is currently implemented. The file could require editing before being
used to restore a saved configuration to a device.
To restore a configuration file to a device: enter global configuration mode on the device, copy and paste the text file into the terminal
window connected to the switch.
The text in the file will be applied as commands in the CLI and become the running configuration on the device. This is a convenient
method of manually configuring a device.
The use of IP addresses is the primary means of enabling devices to locate one another and establish end-to-end communication on the
Internet. Each end device on a network must be configured with an IP address.
The structure of an IPv4 address is called dotted decimal notation and is represented by four decimal numbers between 0 and 255.
IPv4 addresses are assigned to individual devices connected to a network.
Note: IP in this course refers to both the IPv4 and IPv6 protocols. IPv6 is the most recent version of IP and the replacement for the
more common IPv4.
With the IPv4 address, a subnet mask is also necessary. An IPv4 subnet mask is a 32-bit value that separates the network portion of
the address from the host portion. Coupled with the IPv4 address, the subnet mask determines which particular subnet the device is a
member.
The example in Figure 2 displays the IPv4 address (192.168.1.10), subnet mask (255.255.255.0), and default gateway (192.168.1.1)
assigned to a host. The default gateway address is the IP address of the router that the host will use to access remote networks,
including the Internet.
IP addresses can be assigned to both physical ports and virtual interfaces on devices. A virtual interface means that there is no physical
hardware on the device associated with it.
Network communications depend on end user device interfaces, networking device interfaces, and the cables that connect them. Each
physical interface has specifications, or standards, that define it. A cable connecting to the interface must be designed to match the
physical standards of the interface. Types of network media include twisted-pair copper cables, fiber-optic cables, coaxial cables, or
wireless as shown in the figure.
Different types of network media have different features and benefits. Not all network media has the same characteristics and is
appropriate for the same purpose. Some of the differences between various types of media include: distance the media can
successfully carry a signal, environment in which the media is to be installed, amount of data and the speed at which it must be
transmitted, cost of the media and installation.
Not only does each link on the Internet require a specific network media type, but each link also requires a particular network
technology. For example, Ethernet is the most common local area network (LAN) technology used today. Ethernet ports are found on
end-user devices, switch devices, and other networking devices that can physically connect to the network using a cable.
Cisco IOS Layer 2 switches have physical ports for devices to connect. These ports do not support Layer 3 IP addresses. Therefore,
switches have one or more switch virtual interfaces (SVIs). These are virtual interfaces because there is no physical hardware on the
device associated with it. An SVI is created in software.
The virtual interface provides a means to remotely manage a switch over a network using IPv4. Each switch comes with one SVI
appearing in the default configuration "out-of-the-box." The default SVI is interface VLAN1.
Note: A Layer 2 switch does not need an IP address. The IP address assigned to the SVI is used to remotely access the switch. An IP
address is not necessary for the switch to perform its operations.
In order for an end device to communicate over the network, it must be configured with a unique IPv4 address and subnet mask. IP
address information can be entered into end devices manually, or automatically using Dynamic Host Configuration Protocol (DHCP).
To manually configure an IPv4 address on a Windows host, open the Control Panel > Network Sharing Center > Change adapter
settings and choose the adapter. Next right-click and select Properties to display the Local Area Connection Properties shown in
Figure 1.
Highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties to open the Internet Protocol Version 4 (TCP/IPv4)
Propertieswindow shown in Figure 2. Configure the IPv4 address and subnet mask information, and default gateway.
Note: The DNS server addresses are the IPv4 addresses of the Domain Name System (DNS) servers, which are used to translate IP
addresses to domain names, such as www.cisco.com.
PCs typically default to using DHCP for automatic IPv4 address configuration. DHCP is a technology that is used in almost every
network. The best way to understand why DHCP is so popular is by considering all the extra work that would have to take place
without it.
In a network, DHCP enables automatic IPv4 address configuration for every end device that has DHCP enabled. Imagine the amount
of time it would consume if every time you connected to the network, you had to manually enter the IPv4 address, the subnet mask,
the default gateway, and the DNS server. Multiply that by every user and every device in an organization and you see the problem.
Manual configuration also increases the chance of misconfiguration by duplicating another device’s IPv4 address.
As shown in Figure 1, to configure DHCP on a Windows PC, you only need to select “Obtain an IP address automatically" and
“Obtain DNS server address automatically". Your PC will search out a DHCP server and be assigned the address settings necessary to
communicate on the network.
It is possible to display the IP configuration settings on a Windows PC by using the ipconfigcommand at the command prompt. The
output will show the IPv4 address, subnet mask, and gateway information received from the DHCP server.
To access the switch remotely, an IP address and a subnet mask must be configured on the SVI. To configure an SVI on a switch, use
the interface vlan 1 global configuration command. Vlan 1 is not an actual physical interface but a virtual one. Next assign an IPv4
address using the ip address ip-address subnet-maskinterface configuration command. Finally, enable the virtual interface using
the no shutdown interface configuration command.
After these commands are configured, the switch has all the IPv4 elements ready for communication over the network.
In the same way that you use commands and utilities like ipconfig to verify a PC host’s network configuration, you also use
commands to verify the interfaces and address settings of intermediary devices like switches and routers.
The ping command can be used to test connectivity to another device on the network or a website on the Internet.