|
|
This chapter describes how to configure the Catalyst 6000 family switch supervisor engine software.
This chapter consists of these sections:
Table 3-1 shows the default supervisor engine configuration for the Catalyst 6000 family switch.
| Feature | Default Value |
|---|---|
Administrative connection | Normal mode |
Global switch information |
|
System clock | No value for system clock time |
Passwords | No passwords configured for normal mode or enable mode (press the Return key) |
Switch prompt | |
These sections describe how to configure the supervisor engine software on the Catalyst 6000 family switch:
You can configure the switch using the setup, show, and clear commands. Enter the setup command to set initial configuration parameters. Enter show commands to verify the configuration and enter the clear commands (or, in some cases, no commands) to overwrite or erase configuration parameters.
Before you configure the supervisor engine software, obtain the following information:
You can a configure the switch using one of these procedures:
At initial startup, the switch automatically defaults to the setup facility. (The setup command facility functions exactly the same as a completely unconfigured system functions when you first boot it up.) You can run the setup facility by entering the setup command at the enable prompt (#).
Note that no default or current conditions are shown in square brackets [ ].
The difference between the setup facility and the setup command is that when you enter the setup command, current system configuration defaults are displayed in square brackets [ ] as you move through the setup command process and are queried by the system to make changes.
For example, you will see this display when you use the setup facility:
Configuring interface FastEtherent3/1: Is this interface in use?: yes Configure IP on this interface?: yes
When you use the setup command, you see this display:
Configuring interface FastEthernet4/1: Is this interface in use?[yes]: yes Configure IP on this interface?[yes]: yes
Note that the default or current conditions of the interface are shown in square brackets [ ].
These sections describe global and interface system configuration parameters:
When you first start the setup facility or enter the setup command, you are queried by the system to configure the global parameters, which are used for controlling system-wide settings.
Perform this procedure to boot the switch and enter the global parameters:
Step 1 Connect a console terminal to the console interface on the supervisor engine, and then boot the system to the user EXEC prompt (Router>).
Step 2 Note that when you boot up, the following display appears after 30 seconds. (Depending on your configuration, your display might not exactly match this display.) When you see this display, you have successfully booted your system.
System Bootstrap, Version 5.2(1)CSX
Copyright (c) 1994-1999 by cisco Systems, Inc.
c6k_sup1 processor with 65536 Kbytes of main memory
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) draco-mp Software (draco_mp-JSDBG-M), Version 12.0(6.5)XE1(0.36) INTERI
M TEST SOFTWARE
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 20-Sep-99 01:51 by
Image text-base: 0x60020900, data-base: 0x61108000
cisco Cat6k-MSFC (R5000) processor with 57344K/8192K bytes of memory.
Processor board ID 3024158973
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.
16384K bytes of Flash internal SIMM (Sector size 256K).
Building configuration...
[OK]
Press RETURN to get started!
--- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system
Step 3 Enter yes or press Return when asked if you want to enter the configuration dialog and if you want to see the current interface summary. Press Return to accept the default (yes):
Would you like to enter the initial configuration dialog? [yes]: First, would you like to see the current interface summary? [yes]:
This example of a yes response (displayed during the setup facility) shows a switch at first-time startup; that is, nothing has been configured on the switch.
Current interface summary Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES TFTP administratively down down GigabitEthernet1/1 unassigned YES TFTP administratively down down GigabitEthernet1/2 unassigned YES TFTP administratively down down GigabitEthernet3/1 unassigned YES TFTP administratively down down GigabitEthernet3/2 unassigned YES TFTP administratively down down GigabitEthernet3/3 unassigned YES TFTP administratively down down GigabitEthernet3/4 unassigned YES TFTP administratively down down GigabitEthernet3/5 unassigned YES TFTP administratively down down GigabitEthernet3/6 unassigned YES TFTP administratively down down GigabitEthernet3/7 unassigned YES TFTP administratively down down GigabitEthernet3/8 unassigned YES TFTP administratively down down (Additional displayed text omitted from this example.)
This example of a yes response (displayed during the setup command facility) shows a switch with some interfaces already configured.
Current interface summary Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES TFTP administratively down down GigabitEthernet1/1 172.20.52.34 YES NVRAM up up GigabitEthernet1/2 unassigned YES TFTP administratively down down GigabitEthernet3/1 unassigned YES TFTP administratively down down GigabitEthernet3/2 unassigned YES TFTP administratively down down GigabitEthernet3/3 unassigned YES TFTP administratively down down GigabitEthernet3/4 unassigned YES TFTP administratively down down GigabitEthernet3/5 unassigned YES TFTP administratively down down GigabitEthernet3/6 unassigned YES TFTP administratively down down GigabitEthernet3/7 unassigned YES TFTP administratively down down GigabitEthernet3/8 unassigned YES TFTP administratively down down (Additional displayed text omitted from this example.)
Step 4 Choose which protocols to support on your interfaces. On IP installations only, you can accept the default values for most of the questions.
A typical minimal configuration using IP follows and continues through Step 9:
Configuring global parameters: Enter host name [Router]: Router
Step 5 Enter the enable secret password when the following is displayed (remember this password for future reference):
The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: barney
Step 6 Enter the enable password when the following is displayed (remember this password for future reference):
The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: wilma
The commands available at the user EXEC level are a subset of those available at the privileged EXEC level. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use.
You must enter the correct password to gain access to privileged EXEC commands. When you are running from the boot ROM monitor, the enable password might be used depending on your boot ROM level.
The passwords should be different for maximum security. If you enter the same password for both during the setup script, the system will accept it, but you will receive a warning message indicating that you should enter a different password.
Step 7 Enter the virtual terminal password when the following is displayed (remember this password for future reference):
The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: bambam
Step 8 In most cases you will use IP routing. If so, you must also select an interior routing protocol. You can specify Enhanced Interior Gateway Routing Protocol (IGRP) to operate on your system using setup.
Enter yes (the default) or press Return to configure IP, and then select EIGRP:
Configure IP? [yes]:
Configure EIGRP routing? [yes]:
Your IGRP autonomous system number [1]: 301
Step 9 Enter yes or no to accept or refuse SNMP management:
Configure SNMP Network Management? [yes]:
Community string [public]:
For detailed SNMP configuration information, refer to the IOS Configuration Fundamentals Configuration Guide.
As a review of what you have done, a display, similar to the following, appears and lists all of the configuration parameters you selected in Steps 4 through 9. These parameters and their defaults are shown in the order in which they appeared on your console terminal.
The following configuration command script was created: hostname router enable secret 5 $1$S3Lx$uiTYg2UrFK1U0dgWdjvxw. enable password lab line vty 0 4 password lab no snmp-server ! ip routing eigrp 301 ! interface Vlan1 shutdown no ip address ! interface GigabitEthernet1/1 shutdown no ip address ! interface GigabitEthernet1/2 shutdown no ip address ! . (Information Deleted) .! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 % You can enter the setup, by typing setup at IOS command prompt Router#
This completes the procedure on how to configure global parameters. The setup facility continues with the process to configure interfaces in the next section "Configuring Interfaces."
This section provides steps for configuring installed interfaces (using the setup facility or setup command facility) to allow communication over your external networks. To configure the interface parameters, you need your interface network addresses, subnet mask information, and which protocols you want to configure; consult with your network administrator for this information. (For additional interface configuration information on each of the modules available for the switch, refer to the individual configuration notes that shipped with your modules.)
Perform this procedure to configure the interfaces installed in your switch:
Step 1 At the prompt for the Gigabit Ethernet interface configuration, enter the appropriate responses for your needs, using your own address and subnet mask:
Do you want to configure GigabitEthernet1/1 interface? [no]: yes
Configure IP on this interface? [no]: yes
IP address for this interface: 172.20.52.34
Subnet mask for this interface [255.255.0.0] : 255.255.255.224
Class B network is 172.20.0.0, 27 subnet bits; mask is /27
The Gigabit Ethernet interface, located on the supervisor engine, allows connections to Gigabit Ethernet networks. In this example, the system is being configured for the Ethernet interface using IP. (Note that the Gigabit Ethernet interface does not support external routing functions.)
Step 2 At the prompt for the Fast Ethernet interfaces, enter the appropriate responses for your needs, using your own address and subnet mask:
Do you want to configure FastEthernet5/1 interface? [no]: y
Configure IP on this interface? [no]: y
IP address for this interface: 172.20.52.98
Subnet mask for this interface [255.255.0.0] : 255.255.255.248
Class B network is 172.20.0.0, 29 subnet bits; mask is /29
The Fast Ethernet interfaces allow connections to Fast Ethernet interfaces. In this example, the system is being configured for a Fast Ethernet interface using IP.
Repeat the step for each interface you need to configure. Proceed to Step 3 to check and verify your configuration parameters.
When you reach and respond to the configuration dialog for the last installed interface, your interface configuration is complete.
Step 3 Check and verify the entire list of configuration parameters, which should display on your console terminal and end with the following query:
Use this configuration? [yes/no]:
A no response places you back at the enable prompt (#) and you will need to reissue the setup command to reenter your configuration. A yes response saves the running configuration to NVRAM, as follows:
Use this configuration? [yes/no]: yes [OK] Use the enabled mode `configure' command to modify this configuration. Press RETURN to get started!
After you press the Return key, this prompt appears:
Router>
This completes the procedures for configuring global parameters and interface parameters in your system. Your Ethernet interfaces are now available for limited use.
If you want to modify the currently saved configuration parameters after the initial configuration, enter the setup command; to perform more complex configurations, enter configuration mode and use the configure command. Check the current state of the switch using the show version command, which displays the release of IOS software that is available on the switch and the installed interfaces, as follows:
Router# show version Cisco Internetwork Operating System Software IOS (tm) draco-mp Software (draco_mp-JSDBG-M), Version 12.0(6.5)XE1(0.39) INTERI M TEST SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Fri 24-Sep-99 02:23 by Image text-base: 0x60020900, data-base: 0x61110000 ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE BOOTFLASH: draco-mp Software (draco_mp-BOOTDBG-M), Version 12.0(5.4)XE1(0.15) IN TERIM TEST SOFTWARE Router uptime is 2 days, 18 hours, 16 minutes System returned to ROM by abort at PC 0x600EB19C System image file is "sup-bootflash" cisco Cat6k-MSFC (R5000) processor with 57344K/8192K bytes of memory. Processor board ID 3024158973 R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 48 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 123K bytes of non-volatile configuration memory. 4096K bytes of packet SRAM memory. 16384K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x0 Router#
For detailed interface configuration information, refer to the IOS Interface Configuration Guide.
If you prefer not to use the setup facility, you can configure the switch from configuration mode as follows:
Step 1 Connect a console terminal to the console interface of your supervisor engine.
Step 2 When you are asked if you want to enter the initial dialog, answer no to go into the normal operating mode of the switch as follows:
Would you like to enter the initial dialog? [yes]: no
Step 3 After a few seconds you will see the user EXEC prompt (Router>). Type enable to enter enable mode:
Router> enable
The prompt will change to the privileged EXEC prompt (#) as follows:
Router#
Step 4 At the prompt (#), enter the configure terminal command to enter configuration mode as follows:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#
At the prompt, enter the interface type slot/interface command to enter interface configuration mode as follows:
Router(config)# interface fastethernet 5/1 Router(config-if)#
In either of these configuration modes, you can enter any changes to the switch configuration. Enter the end command to exit configuration mode.
Step 5 Save your settings. (See the "Saving the Running Configuration Settings and Reviewing Your Configuration" section.)
Your switch is now minimally configured and can boot with the configuration you entered. To see a list of the configuration commands, enter ? at the prompt or press the help key in configuration mode.
You can check the configuration settings you entered or changes you made by entering show running-config command at the privileged EXEC prompt (#) as follows:
Router# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router (Information Deleted) ! line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Router#
To store the configuration or changes to your startup configuration in NVRAM, enter copy running-config startup-config at the privileged EXEC prompt (#) as follows:
Router# copy running-config startup-config
This command saves the configuration settings that you created in configuration mode. If you fail to do this, your configuration will be lost the next time you reload the system. To display information stored in NVRAM, enter the show startup-config EXEC command.
The following sample output shows a typical system configuration:
Router# show startup-config Using 5362 out of 126968 bytes ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname Router ! boot system flash sup-bootflash enable password lab ! ip subnet-zero no ip domain-lookup ! ip cef mls ipx mls flow ip destination mls flow ipx destination --More-- (Information Deleted) ! line con 0 exec-timeout 0 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Router#
This section describes how to establish a connection through the console interface on the supervisor engine.
Make sure the terminal is connected to the switch and that the switch and terminal are on. Perform this task to establish a console interface connection to the switch
| Step | Command | Purpose | ||
|---|---|---|---|---|
|
| Access the switch command-line interface (CLI) using the appropriate commands on the terminal (for example, using the tip command on a UNIX system). | ||
|
| Press Return to enter user EXEC mode. | ||
| Router> enable | Change to privileged EXEC mode. | ||
| Password: password | Enter the privileged EXEC password at the prompt. |
This example shows how to enter the privileged EXEC mode at the console connection:
Unix> telnet Router1 Trying Router1 Connected to Router1 Escape character is '^]'. Press Return for Console prompt Router> enable Password: Router#
The supervisor engine sends IP packets with unresolved destination IP addresses to the default gateway.
A switch that is not running a routing protocol needs to be able to send data to addresses on subnets other than its own. The default-gateway or default-router parameter is set manually and the value of this parameter is the address of the next-hop router interface. The default gateway should point to the IP address of an interface on a router that is directly connected to the switch where a default gateway is being configured. The switch will have connectivity to the remote networks with which the host needs to communicate.
When your Catalyst 6000 family switch is routing IP, it does not need to have a default gateway set. However, when your Catalyst 6000 family switch is in boot ROM mode (for instance, when upgrading Flash), it is no longer routing IP; it is an IP host. If connectivity is required to remote networks, the Catalyst 6000 family switch needs the ip default-gateway address configured, where the address is the IP address of the next-hop router that can provide connectivity.
To specify a default gateway, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# ip default-gateway A.B.C.D | Configure a default IP gateway address for the switch. | ||
| Router# show ip route | Verify that the default gateways appear correctly in the IP routing table. |
This example shows how to configure a default gateway and how to verify the default gateway configuration:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip default-gateway 172.20.52.35 Router(config)# end 3d17h: %SYS-5-CONFIG_I: Configured from console by console Router# show ip route Default gateway is 172.20.52.35 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty Router#
If your Telnet station or SNMP network management workstation is on a different network from your Catalyst 6000 family switch and a routing protocol has not been configured, you might need to add a static routing table entry for the network where your end station is located.
To configure a static route, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# ip route dest-IP-address mask {forwarding-IP | vlan vlan-number}
| Configure a static route to the remote network. | ||
| Router# show running-config | Verify that the static route appears correctly. |
This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.10.5.10 on the Catalyst 6000 family switch with a subnet mask and IP address 172.20.3.35 of the forwarding router:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip route 171.10.5.10 255.255.255.255 172.20.3.35 Router(config)# end Router#
This example shows how to use the show running-config command to confirm the configuration of the previously configured static route:
Router# show running-config Building configuration... . (Information Deleted) . ip default-gateway 172.20.52.35 ip classless ip route 171.10.5.10 255.255.255.255 172.20.3.35 no ip http server ! line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Router#
This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.20.5.3 on the Catalyst 6000 family switch with subnet mask and connected over VLAN 1:
Router# configure terminal Router(config)# ip route 171.20.5.3 255.255.255.255 vlan 1 Router(config)# end Router#
This example shows how to use the show running-config command to confirm the configuration of the previously configured static route:
Router# show running-config Building configuration... . (Information Deleted) . ip default-gateway 172.20.52.35 ip classless ip route 171.20.52.3 255.255.255.255 Vlan1 no ip http server ! ! x25 host z ! line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Router#
The switch performs a BOOTP request only if the current IP address is set to 0.0.0.0. (This is the default for a new switch or a switch that has had its startup-config file cleared using the erase command.)
Step 1 Install the BOOTP server code on the workstation, if it is not already installed.
Step 2 Determine the MAC address from the label on the chassis.
Step 3 Add an entry in the BOOTP configuration file (usually /usr/etc/bootptab) for each switch. Press Return after each entry to create a blank line between each entry. See the example BOOTP configuration file that follows.
Step 4 Restart the Catalyst 6000 family switch, using the reload command, to automatically request the IP address from the BOOTP server.
This example BOOTP configuration file shows the added entry:
# /etc/bootptab: database for bootp server (/etc/bootpd) # # Blank lines and lines beginning with '#' are ignored. # # Legend: # # first field -- hostname # (may be full domain name and probably should be) # # hd -- home directory # bf -- bootfile # cs -- cookie servers # ds -- domain name servers # gw -- gateways # ha -- hardware address # ht -- hardware type # im -- impress servers # ip -- host IP address # lg -- log servers # lp -- LPR servers # ns -- IEN-116 name servers # rl -- resource location protocol servers # sm -- subnet mask # tc -- template host (points to similar host entry) # to -- time offset (seconds) # ts -- time servers # <information deleted> # ######################################################################### # Start of individual host entries ######################################################################### Router: tc=netcisco0: ha=0000.0ca7.ce00: ip=172.31.7.97: dross: tc=netcisco0: ha=00000c000139: ip=172.31.7.26: <information deleted>
The following tasks provide a way to control access to the system configuration file and privileged EXEC commands:
To set or change a static password that controls access to the privileged EXEC mode, perform this task:
| Command | Purpose |
|---|---|
Router(config)# enable password password | Set a new password or change an existing password for the privileged EXEC mode. |
This example shows how to configure an enable password as "lab" at the privileged EXEC mode:
Router# configure terminal Router(config)# enable password lab Router(config)#
To display the password or access level configuration, see the "Displaying the Password and Privilege Level Configuration" section.
To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands accomplish the same thing; that is, they allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
To configure the Catalyst 6000 family switch to require an enable password, perform either of these tasks:
| Command | Purpose |
|---|---|
Router(config)# enable password [level level] {password | encryption-type encrypted-password}
or
Router(config)# enable secret [level level] {password | encryption-type encrypted-password}
| Establish a password for the privileged EXEC mode.
Specify a secret password, saved using a nonreversible encryption method. (If enable password and enable secret commands are both set, users must enter the enable secret password.) |
Use either of these commands with the level option to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.
If you enable the service password-encryption command, the password you enter is encrypted. When you display it with the more system:running-config command, it displays in encrypted form.
If you specify an encryption type, you must provide an encrypted password---an encrypted password you copy from another Catalyst 6000 family switch configuration.
To display the password or access level configuration go to the "Displaying the Password and Privilege Level Configuration" section.
To set or change a password on a line, perform this task:
| Command | Purpose |
|---|---|
Router(config-line)# password password | Set a new password or change an existing password for the privileged level. |
To display the password or access level configuration, see the "Displaying the Password and Privilege Level Configuration" section.
To set the TACACS+ protocol to determine whether a user can access privileged EXEC mode, perform this task:
| Command | Purpose |
|---|---|
Router(config)# enable use-tacacs | Set the TACACS-style user ID and password-checking mechanism for the privileged EXEC mode. |
When you set TACACS password protection at the privileged EXEC mode, the enable EXEC command prompts for both a new username and a password. This information is then passed to the TACACS+ server for authentication. If you are using the extended TACACS+, it also passes any existing UNIX user identification code to the TACACS+ server.
 | Caution If you use the enable use-tacacs command, you must also specify tacacs-server authenticate enable, or you will be locked out of the privileged EXEC mode. |
For detailed TACACS+ configuration information, see "Configuring Network Security."
Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.
To configure the IOS software to encrypt passwords, perform this task:
| Command | Purpose |
|---|---|
Router(config)# service password-encryption | Encrypt a password. |
Encryption occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP) neighbor passwords. The service password-encryption command keeps unauthorized individuals from viewing your password in your configuration file.
 | Caution The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures. |
Although you cannot recover a lost encrypted password (that is, you cannot get the original password back), you can regain control of the switch after having lost or forgotten the encrypted password. See the "Recovering a Lost Enable Password" section if you lose or forget your password.
To display the password or access level configuration, see the "Displaying the Password and Privilege Level Configuration" section.
By default, the IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to more restricted users.
These tasks describe how to configure additional levels of security:
To set the privilege level for a command mode, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# privilege mode level level command | Set the privilege level for a command. | ||
| Router(config)# enable password level level [encryption-type] password | Specify the enable password for a privilege level. |
To display the password or access level configuration, see the "Displaying the Password and Privilege Level Configuration" section.
To change the default privilege level for a given line or a group of lines, perform this task:
| Command | Purpose |
|---|---|
Router(config-line)# privilege level level | Change the default privilege level for the line. |
To display the password or access level configuration, see the "Displaying the Password and Privilege Level Configuration" section.
To log in to a Catalyst 6000 family switch at a specified privilege level, perform this task:
| Command | Purpose |
|---|---|
Router# enable level | Log in to a specified privilege level. |
To exit to a specified privilege level, perform this task:
| Command | Purpose |
|---|---|
Router# disable level | Exit to a specified privilege level. |
To display the password and privilege level configuration for the switch, perform this task:
| Command | Purpose |
|---|---|
Router# show running-config | Display the password and access level configuration. |
Router# show privilege | Show the privilege level configuration. |
This example shows how to display the password and access level configuration of the switch:
Router# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname Router ! boot system flash sup-bootflash enable password lab ! (Information Deleted)
This example shows how to display the privilege level configuration of the switch:
Router# show privilege Current privilege level is 15 Router#
You can perform password recovery on most of the platforms without changing hardware jumpers, but all platforms require the configuration to be reloaded. Password recovery can be done only from the console interface on the Catalyst 6000 family switch.
Both password recovery procedures involve the following basic steps:
Step 1 Configure the Catalyst 6000 family switch to boot up without reading the configuration memory (NVRAM). This is sometimes called the test system mode.
Step 2 Reboot the system.
Step 3 Access enable mode (which can be done without a password if you are in test system mode).
Step 4 View or change the password, or erase the configuration.
Step 5 Reconfigure the Catalyst 6000 family switch to boot up and read the NVRAM as it normally does.
Step 6 Reboot the system.
These sections describe how the startup configuration on the supervisor engine works and how to modify the configuration register and BOOT variable:
These next sections describe how the boot configuration works on the supervisor engine.
The supervisor engine boot process involves two software images: ROM monitor and supervisor engine software. When the switch is powered up or reset, the ROM-monitor code is executed. Depending on the NVRAM configuration, the supervisor engine either stays in ROM-monitor mode or loads the supervisor engine software.
Two user-configurable parameters determine how the switch boots: the configuration register and the BOOT environment variable. The configuration register is described in the "Modifying the Boot Field and Using the boot Command" section. The BOOT environment variable is described in the "Specifying the Startup System Image" section.
The ROM monitor executes upon switch power-up, reset, or when a fatal exception occurs. The switch enters ROM-monitor mode if the switch does not find a valid software image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode. From ROM-monitor mode, you can manually load a software image from bootflash or a Flash PC card.
You can also enter ROM-monitor mode by restarting the switch and then pressing the Break key during the first 60 seconds of startup. If you are connected through a terminal server, you can escape to the Telnet prompt and enter the send break command to enter ROM-monitor mode.
The ROM monitor has these features:
The Catalyst 6000 family switch uses a 16-bit software configuration register, which allows you to set specific system parameters. Settings for the software configuration register are written into NVRAM.
Following are some reasons for changing the software configuration register settings:
Table 3-2 lists the meaning of each of the software configuration memory bits, and Table 3-3 defines the boot field.
| Caution To avoid confusion and possibly halting the switch, remember that valid configuration register settings might be combinations of settings and not just the individual settings listed in Table 3-2. For example, the factory default value of 0x0102 is a combination of settings. |
| Bit Number1 | Hexadecimal | Meaning |
|---|---|---|
00 to 03 | 0x0000 to 0x000F | Boot field (see Table 3-3) |
06 | 0x0040 | Causes system software to ignore NVRAM contents |
07 | 0x0080 | OEM2 bit enabled |
08 | 0x0100 | Break disabled |
09 | 0x0200 | Use secondary bootstrap |
10 | 0x0400 | Internet Protocol (IP) broadcast with all zeros |
11 to 12 | 0x0800 to 0x1000 | Console line speed (default is 9600 baud) |
13 | 0x2000 | Boot default Flash software if network boot fails |
14 | 0x4000 | IP broadcasts do not have network numbers |
15 | 0x8000 | Enable diagnostic messages and ignore NVRAM contents |
| 1The factory default value for the configuration register is 0x0102. This value is a combination of the following: binary bit 8 = 0x0100 and binary bits 00 through 03 = 0x0002 (see Table 3-3). 2OEM = original equipment manufacturer. |
| Boot Field | Meaning |
|---|---|
00 | Stays at the system bootstrap prompt |
01 | Boots the first system image in onboard Flash memory |
02 to 0F | Specifies a default filename for booting over the network; enables boot system commands that override the default filename |
The configuration register boot field determines whether or not the Catalyst 6000 family switch loads an operating system image, and if so, where it obtains this system image. The following sections describe using and setting the configuration register boot field, and the tasks you must perform to modify the configuration register boot field.
Bits 0 through 3 of the software configuration register form the boot field, specified as a binary number.
When the boot field is set to either 0 or 1 (0-0-0-0 or 0-0-0-1), the system ignores any boot instructions in the system configuration file and the following occurs:
You can enter the boot command only, or enter the command and include additional boot instructions, such as the name of a file stored in Flash memory, or a file that you specify for booting from a network server. If you use the boot command without specifying a file or any other boot instructions, the system boots from the default Flash image (the first image in onboard Flash memory). Otherwise, you can instruct the system to boot from a specific Flash image (using the boot system flash filename command).
You can also use the boot command to boot images stored in the Flash PC cards located in Flash PC card slot 0 or slot 1 on the supervisor engine. If you set the boot field to any bit pattern other than 0 or 1, the system uses the resulting number to form a filename for booting over the network.
You must set the boot field for the boot functions you require.
You modify the boot field from the software configuration register. To modify the software configuration register boot field, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router# show version | Determine the current configuration register setting. | ||
| Router# configure terminal | Enter configuration mode, selecting the terminal option. | ||
| Router(config)# config-register value | Modify the existing configuration register setting to reflect the way in which you want the switch to load a system image. | ||
| Router(config)# end | Exit configuration mode. | ||
| Router# reload | Reboot the switch to make your changes take effect. |
Follow this procedure to change the configuration register while running the system software:
Step 1 Enter the enable command and your password to enter privileged level as follows:
Router> enable Password: Router#
Step 2 Enter the configure terminal command at the EXEC mode prompt (#) as follows:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#
Step 3 Configure the configuration register to 0x102 as follows:
Router(config)# config-register 0x102
Set the contents of the configuration register by entering the config-register value configuration command, where value is a hexadecimal number preceded by 0x (see Table 3-2).
Step 4 Enter the end command to exit configuration mode. The new value settings are saved to memory; however, the new settings do not take effect until the system software is reloaded by rebooting the system.
Step 5 Enter the show version EXEC command to display the configuration register value currently in effect and that will be used at the next reload. The value is displayed on the last line of the screen display, as in this example:
Configuration register is 0x141 (will be 0x102 at next reload)
Step 6 Save your settings. (See the "Saving the Running Configuration Settings and Reviewing Your Configuration" section. However, note that configuration register changes take effect only after the system reloads, such as when you enter a reload command from the console.)
Step 7 Reboot the system. The new configuration register value takes effect with the next system boot.
This completes the procedure for making configuration register changes.
Enter the show version EXEC command to verify the current configuration register setting. In ROM-monitor mode, enter the o command to verify the value of the configuration register boot field.
To verify the configuration register setting for the Catalyst 6000 family switch, perform this task:
| Command | Purpose |
|---|---|
Router# show version |
In this example, the show version command indicates that the current configuration register is set so that the Catalyst 6000 family switch does not automatically load an operating system image. Instead, it enters ROM-monitor mode and waits for user-entered ROM monitor commands. The new setting instructs the Catalyst 6000 family switch to a load a system image from commands in the startup configuration file or from a default system image stored on a network server.
Router1# show version Cisco Internetwork Operating System Software IOS (tm) draco-mp Software (draco_mp-JSDBG-M), Version 12.0(5.4)XE1(0.18) INTERIM TEST SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Mon 09-Aug-99 03:40 by Image text-base: 0x60020900, data-base: 0x60FF0000 ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE BOOTFLASH: draco-mp Software (draco_mp-BOOTDBG-M), Version 12.0(5.4)XE1(0.15) IN TERIM TEST SOFTWARE Router uptime is 2 days, 4 minutes System returned to ROM by power-on System image file is "slot0:rp.halley" cisco Cat6k-MSFC (R5000) processor with 57344K/8192K bytes of memory. Processor board ID 3024158973 R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 10 Gigabit Ethernet/IEEE 802.3 interface(s) 123K bytes of non-volatile configuration memory. 4096K bytes of packet SRAM memory. 16384K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x0 Router#
You can enter multiple boot commands in the startup configuration file or in the BOOT environment variable to provide backup methods for loading a system image onto the Catalyst 6000 family switch.
The BOOT environment variable is also described in the "Specify the Startup System Image in the Configuration File" section in the "Loading and Maintaining System Images and Microcode" chapter of the IOS Configuration Fundamentals Configuration Guide.
Flash memory allows you to do the following:
Flash memory features include the following:
Note the following security precautions when loading from Flash memory:
Step 1 Copy a system image to Flash memory using TFTP or rcp. See the "Additional File Transfer Features" section, for more information on performing this step.
Step 2 Configure the system to boot automatically from the desired file in Flash memory. You might need to change the configuration register value. See the "Modifying the Boot Field and Using the boot Command" section, for more information on modifying the configuration register.
Step 3 Save your configurations.
Step 4 Power cycle and reboot your system to ensure that all is working as expected.
The BOOTLDR environment specifies the Flash file system and filename containing the boot loader image required to load software on the MSFC.
 | Caution
Do not erase the boot loader image (c6msfc-boot-mz.120-7.xe.bin) from the MSFC bootflash: device. The boot loader must be present for the switch to boot successfully. |
For Class A Flash file systems, the CONFIG_FILE environment variable specifies the file system and filename of the configuration file to use for initialization (startup). Valid file systems can include nvram:, slot0:, and sup-bootflash:.
For detailed file management configuration information, refer to the IOS Configuration Fundamentals Configuration Guide.
After you save the CONFIG_FILE environment variable to your startup configuration, the switch checks the variable upon startup to determine the location and filename of the configuration file to use for initialization.
The switch uses the NVRAM configuration during initialization when the CONFIG_FILE environment variable does not exist or when it is null (such as at first-time startup). If the switch detects a problem with NVRAM or a checksum error, the switch enters setup mode. See the "Configuring the Switch Using the Setup Facility or the setup Command" section for more information on the setup command facility.
Although the ROM monitor controls environment variables, you can create, modify, or view them with certain commands. To create or modify the BOOT, BOOTLDR, and CONFIG_FILE environment variables, use the boot system, boot bootldr, and boot config global configuration commands, respectively.
Refer to the "Specify the Startup System Image in the Configuration File" section in the "Loading and Maintaining System Images and Microcode" chapter of the Configuration Fundamentals Configuration Guide for details on setting the BOOT environment variable. Refer to the "Specify the Startup Configuration File" section in the "Modifying, Downloading, and Maintaining Configuration Files" chapter of the Configuration Fundamentals Configuration Guide for details on setting the CONFIG_FILE variable.
You can view the contents of the BOOT, BOOTLDR, and the CONFIG_FILE environment variables using the show bootvar command. This command displays the settings for these variables as they exist in the startup configuration as well as in the running configuration if a running configuration setting differs from a startup configuration setting.
This example shows how to check the BOOT, BOOTLDR, and the CONFIG_FILE environment variables on the switch:
Router# show bootvar BOOT variable = sup-bootflash:c6sup-js-mz.120-7.XE.bin,1; CONFIG_FILE variable does not exist BOOTLDR variable = bootflash:c6msfc-boot-mz.120-7.XE.bin Configuration register is 0x0 Router#
Enter the more nvram:startup-config command to display the contents of the configuration file pointed to by the CONFIG_FILE environment variable.
To set the BOOTLDR environment variable, perform this task:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router# dir bootflash: | Verify that bootflash contains the boot loader image. | ||
| Router# configure terminal | Enter the configuration mode from the terminal. | ||
| Router(config)# boot bootldr bootflash:boot_loader | Set the BOOTLDR environment variable to specify the Flash device and filename of the boot loader image. This step modifies the runtime BOOTLDR environment variable. | ||
| Router# end | Exit configuration mode. | ||
| Router# copy system:running-config nvram:startup-config | Save this runtime BOOTLDR environment variable to your startup configuration. | ||
| Router# show bootvar | (Optional) Verify the contents of the BOOTLDR environment variable. |
This example shows how to set the BOOTLDR variable.
Router# dir bootflash: Directory of bootflash:/ 1 -rw- 1599488 Nov 29 1999 11:12:29 c6msfc-boot-mz.120-7.XE.bin 15990784 bytes total (14391168 bytes free) Router# configure terminal Router (config)# boot bootldr bootflash:c6msfc-boot-mz.120-7.XE.bin Router (config)# end Router# copy system:running-config nvram:startup-config [ok] Router# show bootvar BOOT variable = sup-bootflash:c6sup-js-mz.120-7.XE.bin,1; CONFIG_FILE variable does not exist BOOTLDR variable = bootflash:c6msfc-boot-mz.120-7.XE.bin Configuration register is 0x0
The Catalyst 6000 family switch supports dual supervisor engines or Enhanced High System Availability (EHSA). This feature is described in these sections:
Catalyst 6000 family switches support fault resistance by allowing a secondary supervisor engine to take over if the primary supervisor engine fails. This secondary, or redundant, supervisor engine runs in EHSA standby mode.
EHSA standby mode provides the following features:
When the switch is powered on, EHSA runs between the two supervisor engines. The supervisor engine that boots first, either in slot 1 or 2, becomes the EHSA active supervisor engine. The Multilayer Switch Feature Card (MSFC) and Policy Feature Card (PFC) become fully operational. The MSFC and Policy Feature Card (PFC) on the standby supervisor engine come out of reset but are not operational.
The following events cause an EHSA switchover:
In a switchover, the standby supervisor engine become fully operational and the following occurs:
For redundant operation, the following requirements must be met:
The active and standby supervisor engines must be in slots 1 and 2 of the switch chassis.
If these requirements are met, the switch functions in EHSA mode by default.
During normal operation, the startup-config, config-registers, and bootvar configurations are synchronized by default between the two supervisor engines. In a switchover, the new active supervisor engine uses the current configuration.
To manually synchronize the configurations used by the two supervisor engines, perform this task on the active supervisor engine:
| Step | Command | Purpose |
|---|---|---|
| 1 | Router(config)# redundancy | Enter redundancy configuration mode. |
| 2 | Router(config-r)# main-cpu | Enter main-cpu configuration submode. |
| 3 | Router(config-r-mc)# auto-sync {startup-config | config-register | bootvar | standard} | Synchronize the configuration elements. |
| 4 | Router(config-r-mc)# end | Return to privileged EXEC mode. |
| 5 | Router# copy running-config startup-config | Force a manual synchronization of the configuration files in NVRAM. Note This step is unnecessary to synchronize the running configuration file in DRAM. |
This example shows how to reenable the default automatic synchronization feature using the auto-sync standard command to synchronize the startup-config, config-register, and bootvar configuration of the active supervisor engine with the redundant supervisor engine:
Router(config)# redundancy Router(config-r)# main-cpu Router(config-r-mc)# auto-sync standard Router(config-r-mc)# end Router# copy running-config startup-config
This example shows how to disable default automatic synchronization of all three redundant configuration elements and only allow automatic synchronization of the startup-config and config-registers of the active supervisor engine to the redundant supervisor engine while disallowing synchronization of the bootvars:
Router(config)# redundancy Router(config-r)# main-cpu Router(config-r-mc)# no auto-sync standard Router(config-r-mc)# auto-sync startup-config Router(config-r-mc)# auto-sync config-register Router(config-r-mc)# end Router# copy running-config startup-config
To display both supervisor engines, perform this task:
| Command | Purpose |
|---|---|
Router# show module all | Display the redundancy configuration. |
This example shows how to display the supervisor engine redundancy configuration:
Router# show module all slot ports card type model serial number 1 2 Catalyst 6000 supervisor 1 WS-X6K-SUP1-2GE SAD03130407 2 2 Catalyst 6000 supervisor 1 WS-X6K-SUP1-2GE SAD03230569 8 48 48 port 10/100 mb RJ-45 ethern WS-X6248-RJ-45 SAD03242620 slot MAC addresses Hw Fw Sw 1 0050.f0aa.0100 to 0050.f0aa.0102 2.0 4.2(0.24)VAI 5.3(2)CSX 19 2 00d0.bce8.03bc to 00d0.bce8.03be 4.0 4.2(0.24)VAI 5.3(2)CSX 19 8 0050.f0ae.bc10 to 0050.f0ae.bc40 1.1 4.2(0.24)VAI 5.3(2)CSX 19 Router#
Posted: Mon Jan 3 14:58:44 PST 2000
Copyright 1989-1999©Cisco Systems Inc.