Aux port cisco switch. Cisco Access Controls and Security

Gadgets

Cisco Access Controls and Security

Eric Vanderburg

Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of our more advanced articles on Cisco and information security.

The three basic access controls you can implement are as follows:

  • Set passwords for all methods of access
  • Encrypt the enable mode password
  • Encrypt passwords stored in the configuration

Set passwords for all methods of access

Cisco devices can be managed in a number of ways. The device can be managed by using the console, auxiliary line, virtual terminal, or asynchronous serial lines. A brief description of each of these lines is necessary. Each of these lines can and should be configured with a password so that none of them will provide unauthenticated access to the network device. You can configure passwords for the devices using the following commands issued from the global configuration mode. Thiscan be accessed by entering enable mode (typing “enable” or “en”) and then typing “configure terminal” or “config t”. Note that the prompt will change from router to router# when you issue this command.

The console port is a physical RJ45 connector that is located on the device. It is configured for sending serial data. Using a Cisco console cable you can connect the serial port on a computer to this console port on the Cisco device to perform administrative tasks. You can set a password on this line by issuing the following commands. In this example I set the password to consolepassword. The first line puts you in line configuration mode so you can configure settings for the console line. The next line sets the password. This is followed with the “login” command which tells the device to prompt for the password. The last line puts you back into global configuration mode.

The auxiliary line or “aux” is also a physical port on the device and it is a backup to the console port. It can be used in much the same way and therefore must be secured in the same way. Note the example below where I set the password to auxpassword.

The virtual terminal or “VTY” lines are virtual lines that allow connecting to the device using telnet or Secure Shell (SSH). Cisco devices can have up to 16 VTY lines. You can determine how many VTY lines you have by issuing “line vty 0 ?” from global configuration mode. This example has 16 lines and it sets the password to vtypassword.

The last method of managing a device is with asynchronous serial lines. These are enabled by installing an asynchronous serial card into the router. These lines can be used to connect terminals or models to the device. The commands for configuring a password on the asynchronous line are similar to the above commands but the lines are usually assigned a logical group and then this group is configured. For example purposes we will assign the interface to group 1.

Encrypt the enable mode password

Enable mode is a privileged made on the firewall that allows you to modify major settings on the device. An important information security step is to ensure that a password is required to enter this mode. This password is called an enable password. Furthermore, the password should be encrypted. Unencrypted passwords can be revealed in plain text to unauthorized users if someone executes a show running-configuration from the device. Note: the show running-configuration command does not need to be executed from enable mode. Set an encrypted enable password with the following command from enable mode:

Encrypt passwords stored in the configuration

Just like the enable password, other passwords are stored by default as unencrypted and could be viewed by issuing the show running-configuration command. Also, you may be storing Cisco configurations somewhere on your network and if you do, others might be able to access this and view your passwords if they are not encrypted. It is important to make it a practice to encrypt all passwords on the device. One command can encrypt the rest of the passwords and is as follows:

However, this command encrypts the passwords using a rather weak algorithm, type 7 that can be reversed to reveal the password. This link provides a Perl script that will decrypt type 7 passwords.

Because of this, an alternative to type 7, called type 5 encryption is available. To encrypt the passwords using type 5, issue the above service password-encryption command and then for each of the methods of access mentioned earlier in the article add “5 encrypted-secret” to the end of the line as follows:

Summary

This article presented you with three basic things you can do to better secure access to your Cisco devices. They are (1) Set passwords for all methods of access, (2) Encrypt the enable mode password, and (3) Encrypt passwords stored in the configuration. Remember that this is only a basic step but an important one. Look for further articles on Cisco information security to better protect your networking equipment.

For further reading

JURINNOV, a Cleveland based firm, offers information security consulting services to give you more confidence in your information systems. Contact us today and bring your security to the next level.

How Ansible works

Learn the fundamentals of Ansible, powerful IT automation software that emphasizes simplicity and ease of use.

Ansible® is an open source, command-line IT automation software application written in Python. It can configure systems, deploy software, and orchestrate advanced workflows to support application deployment, system updates, and more.

Ansible’s main strengths are simplicity and ease of use. It also has a strong FOCUS on security and reliability, featuring minimal moving parts. It uses OpenSSH for transport (with other transports and pull modes as alternatives), and uses a human-readable language that is designed for getting started quickly without a lot of training.

Community Ansible

The community distribution of Ansible contains a suite of powerful command line tools supported on most operating systems with Python installed. This includes Red Hat® Enterprise Linux®, Debian, Ubuntu, MacOS, FreeBSD, Microsoft Windows, and more. For more information on installing Ansible refer to the installation documentation.

Red hat ansible automation platform

Red Hat Ansible Automation Platform is a subscription product built on the foundations of Ansible with numerous enterprise features. It combines more than a dozen upstream projects into an integrated, streamlined product. Each product component also has a specific purpose with a well-defined scope. For example, the automation controller is the WebUI and API for Ansible automation, which is based on the upstream project AWX. This component is bundled into the platform to manage automation. Ansible Automation Platform is available to be run on-premise and charged by node (rather than by user), or you can use the managed service offering on Microsoft Azure.

This page will give you an overview of Ansible fundamentals that apply to both community Ansible and Red Hat Ansible Automation Platform. For more detail, please visit docs.ansible.com.

E-BOOKS

Network automation for everyone

Connect your hybrid Cloud environment with IT automation

Simplify storage management

Efficient architecture

Both community Ansible and Ansible Automation Platform have the concept of a control node and a managed node. The control node is where Ansible is executed from, for example where a user runs the ansible-playbook command. Managed nodes are the devices being automated, for example a Microsoft Windows server.

For automating Linux and Windows, Ansible works by connecting to managed nodes and pushing out small programs, called Ansible modules, to them. These programs are written to be resource models of the desired state of the system. Ansible then executes these modules (over SSH by default), and removes them when finished. These modules are designed to be idempotent when possible, so that they only make changes to a system when necessary.

For automating network devices and other IT appliances where modules cannot be executed, Ansible will run on the control node. Since Ansible is agentless, it can still communicate with devices without requiring an application or service to be installed on the managed node. To increase execution capacity for devices without the ability to run modules, Ansible Automation Platform can spread automation jobs out across execution nodes using a technology called automation mesh. To understand more about how network automation is different, check out the Ansible documentation.

For automating public clouds and web services, Ansible will also run modules locally and talk directly to their APIs. There are a variety of documentation guides for each public Cloud or web service that can be automated:

Credentials

For Ansible to execute, it needs an inventory (what are the managed nodes I am trying to automate?) and credentials (how do I login and connect to those managed nodes?).

Community Ansible is decentralized—meaning it relies on your existing OS credentials to control access to remote machines. And if needed, Ansible can easily connect with Kerberos, Lightweight Directory Access Protocol (LDAP), and other centralized authentication management systems. You can also just store usernames and passwords as variables for Ansible and encrypt them with Ansible Vault. This can be as easy as storing them in your inventory file, as elaborated on below.

Red Hat Ansible Automation Platform can act as a centralized authentication as well as integrate with industry-standard tools like CyberArk AIM, Conjur, HashiCorp Vault, and Microsoft Azure Key Vault. Automation controller hashes local automation controller user passwords with the PBKDF2 algorithm using a SHA256 hash. Users who authenticate via external account mechanisms (LDAP, SAML, OAuth, and others) do not have any password or secret stored. For more information, check the Secret handling and connection security documentation.

Manage your inventory in simple text files

By default, Ansible represents which machines it manages using a very simple INI file that puts all of your managed machines in groups of your own choosing.

To add new machines, there is no additional SSL signing server involved, so there’s never any hassle deciding why a particular machine didn’t get linked up due to obscure NTP or DNS issues.

If there’s another source of truth in your infrastructure, Ansible can also plug in to that, such as drawing inventory, group, and variable information from sources like Amazon Web Services, Google Compute Engine, Microsoft Azure, VMware vCenter, and more. Both community Ansible and Ansible Automation Platform can use a variety of dynamic inventory plugins. Ansible Automation Platform makes these easily available and configurable in the WebUI.

Here’s what a plain text inventory file looks like:

[webservers] www1.example.com www2.example.com [dbservers] db0.example.com db1.example.com

Once inventory hosts are listed, variables can be assigned to them in simple text files (in a subdirectory called ‘group_vars/’ or ‘host_vars/’) or directly in the inventory file.

Or, as already mentioned, you can use a dynamic inventory to pull your inventory from datsources like AWS and Azure.

PLAYBOOKS: A SIMPLE AND POWERFUL AUTOMATION LANGUAGE

Playbooks can finely orchestrate multiple slices of your IT infrastructure, with very detailed control over how many machines to tackle at a time. This is where Ansible starts to get most interesting.

Ansible’s approach to orchestration is one of finely tuned simplicity, as we believe you should be able to use existing knowledge while not having to remember special syntax or features.

Here’s what a playbook looks like. As a reminder, this is only here as a teaser—visit docs.ansible.com for the complete documentation, and see all that’s possible.

AN EXAMPLE apache.yml PLAYBOOK MIGHT LOOK LIKE:

name: Apache server installed hosts: web become: true tasks:. name: latest Apache version installed yum: name: httpd state: latest. name: Apache enabled and running service: name: httpd enabled: true state: started. name: copy index.html copy: src: web.html dest: /var/www/html/index.html

The Ansible documentation explores this in much greater depth. There’s a LOT more that you can do, including:

  • Take machines in and out of load balancers and monitoring Windows.
  • Have one server know the IP address of all the others, using facts gathered about those particular servers—and use those to dynamically build out configuration files.
  • Set some variables and prompt for others, and set defaults for when they are not set.
  • Use the result of one command to decide whether to run another.

There are lots of advanced possibilities, but it’s easy to get started.

Most importantly, the language remains readable and transparent, and you never have to do things like declare explicit ordering relationships or write code in a programming language.

Extend ansible: plugins, modules, and api

Should you want to write your own, Ansible modules can be written in any language that can return JSON (Ruby, Python, Powershell, bash, etc). Inventory can also plug in to any datasource by writing a program that speaks to that datasource and returns JSON. There’s also various Python APIs for extending Ansible’s connection types (SSH is not the only transport possible), callbacks (how Ansible logs, etc), and even for adding new server-side behaviors.

when would you use ansible automation platform versus community ansible?

Red Hat Ansible Automation Platform is a subscription product that builds upon the foundations of community Ansible and is designed to elevate automation across your organization.

Flexible, security-focused, and capable, Ansible Automation Platform helps IT teams create, manage, and scale automation in a standardized way.

With a subscription, you get fully supported and certified content from our robust partner ecosystem, expert knowledge gained from our success with thousands of customers, and differentiated services—like analytics reporting.

Here are three example instances of when Red Hat Ansible Automation Platform might make sense for an organization:

  • Ansible Automation Platform can help organizations with security and support by providing fully certified and signed content. Your organization can know which automation content is the official content, and digitally signed Ansible content collections ensure an end-to-end software supply chain from development to production.
  • Ansible Automation Platform can help an organization with operationalizing automation at scale with automation mesh and automation execution environments. Automation mesh allows an enterprise organization to add resilience, automation capacity, and security to their automation fabric across their IT infrastructure across multiple sites.
  • Ansible Automation Platform can also help an organization understand their automation footprint with automation analytics. Automation analytics helps IT leaders and automation architects observe how teams are adopting automation and track the success of those efforts.

To learn more about Red Hat Ansible Automation Platform, check out our knowledgebase article, What is included in Red Hat Ansible Automation Platform subscription?

How to Configure a Cisco Switch

Cisco switches are targeted at businesses or enterprises that need flexibility, power, and security to connect medium-to-large networks. As opposed to plug-n-play, administrable switches require and allow configuration via an interface. For instance, administrable switches such as the Cisco Catalyst 3600 Series require an initial basic configuration that determines management, security, monitoring, and other foundational parameters.

How to configure a Cisco switch step by step? In this post, we’ll configure a Cisco Switch from top to bottom using the popular iOS CLI. We will be using a Cisco Catalyst Series 3500, Model 3550, inside a Cisco switch/router simulator. We will go through the process of connecting to the switch, configuring security, management, and setting additional parameters.

Connecting to the hardware

Before diving deep into the step-by-step to configuring your Cisco switch, you’ll first need to get to know your hardware. If it’s off and unplugged, inspect the power cables and ensure they are not damaged. If the power cables look good, go ahead and plug the switch and make sure the indicator lights are operational.

The backside of a 48-smi Catalyst 3550 10/100 48-port Switch. Here, you’ll find a power supply and console port.

a. How to connect to the Cisco Switch?

The traditional way to connect to a Cisco switch’s management port is by using a rollover cable (also known as console cable). This cable lets you connect your computer to the switch’s console port. Cisco switches also come with other ports like the Mini USB port or AUX port.

You can connect to this port using an RJ-45 rollover cable or a Serial DB9 to RJ-45 console cable (such as the picture below). You can also use an adapter, such as the Serial to USB adapters that convert Serial to USB signals. For this type of adapter connection, you’ll need to install a driver on your computer.

b. Establish a serial connection

You could configure a Cisco switch using a modern Web GUI. But to get more versatility, speed, and a higher precision level, you can configure it using the Cisco iOS Command-Line Interface. To connect to this interface, you’ll need software on your computer to control serial lines and establish a connection.

PuTTy replaces the good old HyperTerminal when it comes to serial communications. PuTTy is an SSH, Telnet, rlogin, and TCP client with a free license. Unfortunately, PuTTy is only supported by Windows. SecureCRT and MobaXTerm are good alternatives to PuTTy.

Download and connect using PuTTy

  • Go ahead and install PuTTy on your Windows computer (or use an alternative for different OSs.)
  • If the console cable is plugged correctly between the switch and your computer, go ahead and open PuTTy.
  • If you connect the switch’s serial to your USB port with an adapter, you’ll need to verify the COM port number. You can do this by going to Windows Device Manager and checking your USB connections.
  • Now, you’ll need to configure puTTy’s serial connection lines. First, go to Connection Serial. From this menu, set the following port parameters.
  • The serial line to connect to, if using an adapter, COM# is the one you found in the device manager.
  • Speed (baud): 9600 baud (This number might vary according to your switches series)
  • Data Bits: 8 data bits
  • Stop Bits: 1
  • Parity: None
  • Flow Control. (default or set to none)
port, cisco, switch, access, controls

You’ll now be connected to the switch and are ready to configure it.

Moving through command modes and specifying a hostname

Once you are connected to the switch, you’ll be greeted with debug information and the following prompt: “Switch”

” prompt width=733 height=201 /

The initial “” means you are in an unprivileged command mode. Here you won’t be able to change anything, only display information. You’ll need to scale privileges to configure your router.

The Command modes

The Cisco iOS software is hierarchically structured with different levels of command modes. The “unprivileged” User EXEC and the “privileged” User EXEC modes. There are five modes within the privileged mode: global configuration mode, interface configuration mode, subinterface configuration mode, router configuration mode, and line configuration mode.

To move through these command modes, use the following:

  • enable Switch from unprivileged to privilege.
  • disable Switch from privilege to unprivileged.
  • exit Go back to one mode.
  • end Go back to the privilege enable mode.

Let’s configure a customized hostname

  • Go to privilege mode (type enable). Since this is an initial configuration, EXEC privilege mode (enable) does not have any password yet. We’ll secure the privilege mode in the next section.
  • Once in privilege mode, you can enter the global configuration mode with a “configure terminal” or “config t”.
  • Under configuration mode, give your switch a name with the command “hostname ….”

Configure initial security

Now, we’ll go through a couple of security best configuration practices.

a. Protect the privilege EXEC mode with a password

To secure the privileged EXEC mode from unauthorized access, use the “enable secret ” in the global configuration mode.

PCWDLD(config)# enable secret SECRETWORD

” in the global configuration mode width=648 height=412 /

port, cisco, switch, access, controls

To test this, exit to the unprivileged EXEC User mode and try to access the privileged EXEC mode with “enable”. As you can see below, now the switch’s first line is protected with a password request.

b. Control or restrict access to your switch

When configuring a Cisco switch for the first time, you’ll have free access (no password). You can access the switch locally via the console port (as we did previously), via the aux port, or remotely using Telnet. To secure your switch from all threats, you’ll need to configure passwords for the Telnet, Console, and Aux ports

Your switch is accessed via Virtual Terminal (VTY) lines. To learn more about the current lines on your switch, issue a “show running-config” command.

The output shows that there are one console, one auxiliary, and 5, VTY (Virtual Terminal lines used to control the inbound Telnet connections.) Some switches have more VTY lines, 16, for instance (0-15).

Use the following commands to set a password to these lines:

PCWDLD(config-line)# password SECRETWORD-console

port, cisco, switch, access, controls

PCWDLD(config)# line vty 0 4

PCWDLD(config-line)# password SECRETWORD-DD

If your switch has an aux port, you’ll need to verify the line number with the “show line” command. Record the TTY line for the AUX port and input with the line [aux line#] command.

  • Now, let’s verify with the “show running-config” command.
  • As you can see in the screenshot below, both connection lines now have a password.

c. Create an ACL to restrict access at the IP level

As an optional configuration to improve the security of your switch, you can create a numbered Access Control List (ACL) and include the IP address you allow (or deny) access to your switch. You can also assign the newly created ACL to your VTY line. This configuration helps you create a fine-grained level of control by allowing only one or two IPs to access your switch.

PCWDLD(config)# line vty 0 4

PCWDLD(config-line)# access-class telnet-access in

Let’s break down the command:

  • The “IP access-list 10” creates the ACL number 10. The “permit 192.168.0.100 0.0.0.0” assigns IP 192.168.0.100/32 to the list and permits its access. The 0.0.0.0 is the wildcard, which equals 255.255.255.255 (a single host). The wildcard allows you to define entire subnets or single hosts.
  • The “access-class telnet-access in” assigns the ACL 10 to the lines vty 0 4.

Configuring a management interface and gateway

Logging locally to your switch via the console port (as we did in the first place) every time you need to manage it can be a time-consuming and cumbersome process. By default, you can’t Telnet or SSH into a Layer 2 (L2) switch. L2 switches can’t be configured with IP addressing on their physical interfaces or switch ports. Routers or L3 switches, on the other hand, allow remote management via IP on any interface.

a. Configuring a Management Interface

There is a solution: If your computer is on the same network (broadcast domain) as the switch, you can Telnet using a Switched Virtual Interface (SVI). Then, to establish remote sessions, all you need to do is configure an SVI management VLAN and assign it an IP address.

PCWDLD(config)# interface vlan 1

PCWDLD(config-if)# ip address

You can use the “show IP interface” or the “show running-config” to verify your configuration. First, make sure the interface is up and that it has an IP address.

Note: Cisco Switches have VLAN 1 (known as management VLAN) as the default VLAN. It is important to note that all switch ports belong to VLAN 1. Therefore, if your switch has more VLANs configured, and you want to manage your switch from every single VLAN, you need to configure an IP address on a VLAN interface for every different VLAN.

b. Defining the default gateway

Right now, your switch can be accessed via Telnet on a local network but not over a remote network. The L2 switch can generate a network packet for a local destination, but to send a packet to a remote network, the L2 switch doesn’t have the routing capabilities to determine the best path. This is where a default gateway comes into play, as it can help the switch route all “unknown network” packets to the right destination.

How to configure a default gateway on a Cisco switch?

port, cisco, switch, access, controls

PCWDLD(config)# ip default-gateway

Don’t forget to test connectivity with the ping command!

Configuring VLANs and access ports

You can quickly create a series of VLANs using the “vlan database” command. Then use the “show VLAN switch” command to see the VLANs you created.

a. How to configure a vlan on a cisco switch?

Now, you’ll need to assign the switch ports that will belong to each specific VLAN. Use the following command to make a switch port a member of a VLAN.

PCWDLD(config)#interface fastethernet 0/10

PCWDLD(config-if)#switchport mode access

PCWDLD(config-if)#switchport access vlan 10

Last but not least, configure the Trunk port that will connect to an L3 or L2 switch or router and share all VLAN information with the rest of the network.

b. How to configure a trunk port on a Cisco switch?

PCWDLD(config)#interface fastethernet 0/0

PCWDLD(config-if)#switchport mode trunk

c. Assign a range of unused ports to a black hole VLAN

As best security practice, assign all used switch ports to particular VLANs, except VLAN 1. With all unused switch ports, you can assign them to something known as a “black hole VLAN”.

Avoid setting an L3 VLAN interface IP on the BlackHole route. It does not need routing.

Now let’s assign the blackhole VLAN to the unused ports. Let’s say my switch is not using interfaces GigabitEthernet0/1 and GigabitEthernet0/2.

PCWDLD(config)#int range g0/1-2

PCWDLD(config-if)#switchport access vlan 999

PCWDLD(config-if)#switchport mode access

Although you could instead disable all the unused ports with the “shutdown” approach, the reason to use a black hole VLAN is to guarantee that no port is left with VLAN 1. If someone accidentally brings up the port, it will be exposed with the VLAN 1.

Before you go, Save Your Configuration Settings

Before closing down the CLI, remember to save your configuration. This will ensure that your setting will be the same the next time you log in to your switch.

Configuring your Cisco Switch: Additional Tips and FAQ

  • switch(config)#int range g0/1-2
  • PCWDLD(config)# line con 0
  • PCWDLD(config-line)# logging synchronous
  • PCWDLD(config-line)# exit
  • PCWDLD(config)# line vty 0 4
  • PCWDLD(config-line)# logging synchronous
  • PCWDLD(config-line)# exit
  • PCWDLD(config-if)#switchport mode access
  • or
  • PCWDLD(config-if)#switchport nonegotiate
  • How to disable CDP on a specific switch port? CDP (Cisco Discovery Protocol) is enabled on Cisco routers by default. To disable it, issue the following command:
  • PCWDLD(config-if)#no cdp enable

How to Configure a Cisco Switch FAQs

How do you access the Cisco switch configuration interface?

The Cisco switch configuration interface can be accessed using a command-line interface (CLI) or a web-based graphical user interface (GUI).

What is the purpose of configuring switch Link Aggregation Control Protocol (LACP)?

The purpose of configuring switch Link Aggregation Control Protocol (LACP) is to combine multiple physical connections into a single logical connection, providing increased bandwidth and network resiliency.

What is the purpose of configuring switch Quality of Service (QoS)?

The purpose of configuring switch Quality of Service (QoS) is to prioritize certain types of network traffic, improving network performance and ensuring that critical applications receive the bandwidth they need.

What is the difference between switch iOS and switch NX-OS?

Cisco switch iOS (Internetwork Operating System) is the traditional operating system used by Cisco switches, while switch NX-OS (Nexus Operating System) is used by newer Cisco switches and provides additional features and capabilities.

What is the purpose of configuring switch Spanning Tree Protocol (STP)?

The purpose of configuring switch Spanning Tree Protocol (STP) is to prevent network loops and ensure that only one active path exists between switches.

What does Virtual Router Redundancy Protocol (VRRP) do?

The purpose of configuring switch Virtual Router Redundancy Protocol (VRRP) is to provide redundancy and failover capabilities for switch routing functions.

The network device: form factor and console access

We talked a lot about what is a switch or a router, what they do, and at which OSI layer they work. However, we haven’t said a lot about their physical characteristics just yet. A network device is a tangible piece of hardware that you can work with, connect together with the cable, or stack one over the other. This article is just about that, we will see how is it like to unbox a network device such as a router or a switch.

The Network Device

Overview of the front panel

Networking devices grants connection to other devices. By their nature, you can manage them only through other means, specifically remotely. Because of that, they have a rectangular shape, short and large. They do not come with mouse, keyboard, or screen, you cannot even connect these peripherals to a networking device like a switch or a router, this is not part of the design. However, some devices may have a small LCD screen giving some basic information about the internal temperature and the health status of the device.

Instead, you can always find interfaces (known also as ports). These interfaces are the slots where you can plug cables in, and the majority of them will support ethernet cables with an RJ45 termination, or SFP slots for fiber optic cables. You can find all these ports in front of your device, while on the back you can find the power cord for the power supply. However, many network devices do not have a power switch, they turn on as soon as they receive power.

Let’s get back to the front panel of our device. Many ports are going to be the ones you use to connect devices (other switches, routers, or computers), but this is not the only kind of port you can find on the device. Some ports, separated from the others, are the ones to manage the device: the console port and the AUX port.

Management ports

The console port is the first one you are going to use after unboxing the device. In order to configure the device, you have to use a text-based interface, where you write text, the device reads it, and returns other text to you: the console ports provides just that, allowing a synchronous transmission of text characters. Even if the console ports are an RJ45 plug, you cannot use a simple network cable right here, but you have to use a specific console cable, which has an RJ45 side and an RS232 (Serial) side. Many modern PCs do not have a built-in RS232 connector, so you have to use the console cable in combination with a USB to Serial converter. Due to the nature of this connection, console cables are relatively short (a few centimeters to a few meters), they are not for long-distance transmission.

The AUX (Auxiliary) port is also designed to configure the network device but in a different way. With the console port, in order to connect to the device, we must be close to it. With the AUX port, we can do this remotely. Specifically, that port is designed to act as an analog phone. Using a modem, you can call a phone number assigned to the device and then gain access to its configuration. This allows you to connect to the device remotely even if the network went down, however, this is not so common nowadays. Even if the idea behind is good, as it allows Out of Band (OOB) management of the device (the device is managed using a dedicated network), this solution is not cheap.

In order to allow that, you should prepare a whole separate infrastructure running separated physical cables to all of your devices, connect them to a Private Branch Exchange (PBX) and then to the public telephony network, taking care of obtaining all phone numbers you need. over, modern telephony systems rely on the network and they won’t work if the network is down. Because of that, using AUX ports is now considered a legacy practice. However, that port works with the same logic of the console port. This means you can use some tricks to use that port as a console port in case the console port is broken. This, however, is way out of scope for this article.

The form factor

Network device in a rack

Now that we have a general idea about the shape of a networking device, is time to talk about it in technical terms. In fact, the form factor of a networking device is simply its shape. We can divide ICT devices into two major categories: end-user devices and data center devices. The end-user devices are the ones directly used by someone. An example of an end-user device can be a laptop, a smartphone, or a desktop computer. Instead, data center devices serve other devices: they are networking devices, switches, routers, firewalls, and so on. Because of that, these devices are not designed to sit on a desk. Instead, they are put in specific rooms (the data centers).

In a data center, many different devices from different vendors have to share the same space. Without some rules, this could result in a big mess. Fortunately, we have those rules. In order to maximize the space dedicated to devices, we have the concept of the rack. A rack is a closet designed to hold devices. A data center is a room with one or more racks in it. Racks have standard sizes, and devices to be put inside them must follow these sizes too. Specifically, the width and depth are always the same, while the height can vary, but only in increments of 1.75 inches (or 44,45mm). This means that we can have devices of 1.75” or 3.5”, but not of 3.0”. Because of that, we do not measure the height of a device in inches or millimeters, but instead in Rack Units (RUs), with 1RU = 1.75.

Switch Configuration form factor

While these rack rules apply to all data center devices, there is some specific concept that applies only to networking devices. Now we are truly talking about the form factor. The form factor is the shape of the networking device in terms of flexibility and modularity. In networking devices, we can find three types of form factors in switches.

  • Fixed Configuration Switches – switches with this form factor are 1RU in size. You cannot expand the number of ports on them. This is the simpler and cheaper form factor available.
  • Stackable Configuration Switches – switches with this form factor are similar to fixed-configuration ones, with some enhancements. You can connect them together with a specific cable, they will act as a single device. The cable used, for Cisco device, is called Cisco StackWise. It can connect up to 9 switches in a loop fashion (first device to the second, second to the third and third to the first one).
  • Modular Configuration Switches – these switches are the most expensive (and powerful) ones. They have a chassis which is basically a box with redundant power supplies, and in that, you can put several line cards, according to your needs. Line cards are components physically hosting ports, while the chassis allow inter-line-card communication. This type of device is used in the Enterprise Backbone.

The following picture presents the different form factors already explained.

The console

Entering the console

Now that we know the physical characteristics of a network device, it’s time to see how we can get to configure them. This way, in the following articles we can start to put our hands on the configuration part. In order to gain console access to a networking device, you are going to need the console cable and the USB-to-serial converter. After that, you are going to need a terminal emulation software. That software is the one that controls the sending and receiving process of characters on the console cable. Fortunately, there are several free software to do just that. The most famous and simpler one is PuTTY: it doesn’t even need to be installed, it is a simple executable file you can download and run as you need it.

Tip: USB-to-serial converters are not plug-and-play devices, you have to install their drivers. Fortunately, this is not a complex task. Check with the manufacturer of your converter what is the driver you have to install.

Once your drivers are ready, run PuTTY as administrator. Before connecting, you may want to check the Serial settings. Go to the Connection Serial tab, everything should be as in the picture below (default settings).

Once you are ready, the networking device is powered on, and everything is connected, you can launch the connection. Do that from the Session tab by selecting Serial. You will also have to specify the serial line, which is the serial port on your PC you are trying to use. Common serial lines are COM1, COM3, and COM5. If you get an error saying “Unable to open serial port” you are probably using the wrong serial line.

If everything is OK a new black window will pop-up. In there, hit the Enter key a few times until some text appears. If the device is brand new, it will prompt you to the configuration wizard. Instead, if this device has some configuration, you might have to authenticate with the user and password.

The Cisco Prompts

Cisco Prompts System

Connecting to a device in the console is identical regardless of the vendor. However, what you type once you are logged in depends on the hardware vendors. Each product implements its own proprietary configuration commands. There is no standard about that, you just have to know what to type. However, the logic behind the configuration is always the same: you have to enter a specific configuration area to perform certain commands. Cisco implements this concept with a simple prompts system.

Configuring a networking device is about sending and receiving text. However, it is not like writing a text document, it is a lot like chatting: you write text line by line and then press enter. Every time you write a line and then hit enter, the device processes the instruction and behaves accordingly. After that, it sends you a piece of text to tell you that it is ready to process more commands. That piece of text, that you are going to find at the beginning of every line, is called prompt. It is a visual identifier of the current configuration/management state.

User and Privileged mode

As soon as you log into a device, you enter the User mode. This prompt is identified by the name of the device followed by a “greater than” sign As an example reference, let’s say we are configuring a device named “Router”. In this case, the prompt will be Router. In this prompt we are allowed to do almost nothing, so we can type the enable command. That command will ask us to provide a password (if previously configured) and then will get us to the Privileged Exec mode, identified by the pound sign (#, e.g. Router# ). From there, we can do all the verification commands we need. over, we are allowed to enter the configuration mode. To do that, we type configuration terminal and then we are in this new prompt Router(config)#.

From there, we can configure general settings about the device and enter item-specific configuration modes. For example, we have specific modes to configure interfaces, VLANs, routing protocols, and so on. To get to the “parent mode”, you can type exit. However, note that the Privileged mode is not a child of the User mode, and typing exit in Privileged Exec mode will disconnect you from the device, showing again the login prompt. From any configuration mode, you can type end to reach the Privileged Exec mode immediately. The following image shows you how to move between Cisco prompts.

Conclusion

After this article, you know how to handle network devices from a physical perspective. You learned how to get around between Cisco prompts, so you are ready to put your hands on the real configuration. In the next article, we will show you how to practice all the CCNA-level configuration you need. The cool thing about that is that you can do it without purchasing any networking equipment! Then we will continue the CCNA guide with several labs to grow your technical skills!