Personnel Short Notes for Cisco Switches/Routers

This post contains some personnel short notes on various configuration related to Cisco Switches/Routers. I wrote this post so that I can find my day to day usage commands from this centralized location.

Regard’s
Syed Jahanzaib

---

> Method#0 – Erase setting while you are have already access on the switch

write erase
delete flash:vlan.dat
# at newer switch i used following cmd, which worked effectively
# erase nvram:
# or better this one
# erase startup-config
# Then reload switch ,it will reboot and all config will go away
reload
After this switch will reload its OS, and will come back with default switch settings. Recommended to use Serial console cable.

> Method#1 – Reset Everything – Factory Default
Following is a quick method to reset Cisco switch to factory default settings. This method can also be used to recover password.
Requirements:

Cisco Switch
Console Cable
PC/Laptop with Serial Port


Connect your console cable from the switch Console port to PC/Laptop serial Port.
Open the Hyper Terminal application, and select settings as per your hardware.Following is configuration for Cisco 3750 G Model.

Bits per second: 115200

Data bits: 8

Parity: None

Stop bits: 1

Flow control: Xon / Xoff
Following is configuration for Cisco 3850 / 3560 G Model

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None
Different switches connect with different Bits per Second setting . For Cisco 2950 Model try to lower it at 9600.




Power Off the switch / Now hold the MODE button on the switch and power ON the switch.





Once the switch initialize itself (may take 1 minute for 3750, and for 2950 it generally requires 5-6 seconds to hold mode button. ), This will interrupt the boot process before the Flash file system can initialize, and after a short while (continue holding the “mode” button) you will see the following prompt:



Once you see the
The password-recovery mechanism is enabled.
you can release the Mode button.


Press enter few times to make sure you get the prompt. Now issue following commands to initialize flash and delete files which contains the switch configuration


flash_init
del flash:config.text
del flash:vlan.dat
Th eoutput may look a like following
switch:

switch: del flash:config.text
Are you sure you want to delete "flash:config.text" (y/n)?y
File "flash:config.text" deleted

switch: del flash:vlan.dat
Are you sure you want to delete "flash:vlan.dat" (y/n)?y
File "flash:vlan.dat" not deleted -- no such file or directory

switch:
Once its done, you may continue booting the switch which will allow you to do any configuration of your choice.
boot
This will continue booting the & after a while it will ask you following
Would you like to enter the initial configuration dialog? [yes/no]:
Type no and continue with below ..

Adding IP to default Vlan 1 interface
To add ip use following
en
config t
hostname zaib-switch
interface vlan 1
ip address 101.11.100.1 255.0.0.0
ip default-gateway 101.11.100.255

# Following is important, as vlan1 may be in shut status after ip config, so enable it
no shut

# configure ENABLE password
enable secret zaib1234

# configure telnet access
line vty 0 15
transport input telnet
password zaibtelnetpass
login

# configure SSH access
ip domain-name zaib.com
# Generate the RSA Keys
crypto key generate rsa
# It will ask "How many bits in the modulus [512]: 1024", just press enter

# Set Up the Line VTY configurations
transport input ssh
login local
password zaib1234

*** Set the console line
line console 0
logging synchronous
login local

*** Create the username password
username zaib password zaib1234
enable secret zaib1234
service password-encryption

exit
exit
copy running-config startup-config
# When it will ask "Destination filename [startup-config]?" just press ENTER
wr
Connect ethernet cable to the switch port and see the ping result.

Now you will be able to connect with the switch using IP.
Cisco configuration assistant software is the best GUI tool to configure the switch with ease and it will save you from remembering all the commands. Although command is more powerful in most cases but still GUI is feasible for most beginners.

You can download Cisco Network Assistant and Hyper-Terminal it from my google drive.
https://drive.google.com/drive/folders/0B8B_P2ljEc2xQlpvRUQ2QWVfR0E

TIPS:

General Commands:
Show ALL Interfaces Status
at ENABLE section, use this command to get all ports status
show interfaces status

To show Ip addresses and interface status
show ip interface brief
To show vlan details (via enable mode)
show vlan
Add ENABLE section Password
en

config t

enable secret zaib1234

exit

wr

Reboot Switch
reload

Port is Down/Shutdown / Vlan1 is administratively down, line protocol is down
en

config t

interface vlan 1

no shut

Enable TELNET access
en

config t

line vty 0 15

transport input telnet

password zaibtelnetpass

login

exit

exit

wr

Enable SSH access
#Set hostname and domain-name

config t

hostname cisco-switch

ip domain-name zaib.com
# Generate the RSA Keys

crypto key generate rsa

# “How many bits in the modulus [512]: 1024″# Press Enter
*** Set Up the Line VTY configurations

line vty 0 4

transport input ssh

login local

username cisco password my_password
# Set the console line

line console 0

logging synchronous

login local
# Create the username password (within conf t)

username zaib password zaib1234

enable secret zaib1234

service password-encryption
exit

wr

Method#2 – Password Recovery Only: 

(While Keeping existing running configuration intact)
For Cisco 3850 model view this site
https://www.rogerperkin.co.uk/cisco/switching/3850/password-recovery-cisco-catalyst-3850/

Connect Hyperterminal with the switch using console cable. [as mentioned in the beginning of this guide]
Power ON the switch while pressing mode button, one you see the “The password-recovery mechanism is enabled.”

More example for switch models:

Now issue following commands one by one …
flash_init
dir flash:
rename flash:config.text flash:config.old
(The config.text file contains the password)
Now continue the boot process by following command
boot
When you see the following dialogue
Would you like to enter the initial configuration dialog? [yes/no]:
Enter “n“ to abort the initial configuration dialog.
Now rename the config.old file to config.text so that we can get our existing settings restored , and still let us change the password
rename flash:config.old flash:config.text
Press enter when ask for destination file name
Now save the config in running-config so that switch must load all the settings on next boot
copy flash:config.text system:running-config
Press enter when ask for destination file name
Changing Password …
*** Overwrite the existing secret/password
en
conf t
enable secret zaib1234
enable password zaib12345

### Overwrite the existing vty password
line vty 0 15
password zaib1234

### Overwrite the existing console password
line con 0
password zaib1234
exit
exit
copy running-config startup-config
wr
DONE !

Some short notes for Cisco related command [added on 19-OCT-2017]

#SAVE Configuration
copy running-config startup-config
wr
[in cisco 3850 i used > wr memory]

#Enable interface
no shutdown
show ip route

#Reset running configuration

write erase
delete flash:vlan.dat
reload
show vlan br
show ip int brie
#To configure port 24 as TRUNK

enable
configure terminal
interface GigabitEthernet 1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk

*** FIRST Create VLAN

en
conf t
vlan 1
name Default-Vlan
exit
vlan 2
name vlan2-users
exit
vlan 3
name vlan3-users
exit
interface vlan 1
ip address 192.168.254.1 255.255.255.0
interface vlan 2
ip address 192.168.2.1 255.255.255.0
interface vlan 3
ip address 192.168.3.1 255.255.255.0

(If range then use int range f0/1 - 15 )
interface GigabitEthernet 1/0/2
switchport mode access
switchport access vlan 2

interface GigabitEthernet 1/0/3
switchport mode access
switchport access vlan 3

#
en
conf t
show ip route
#OR#
show run | include ip route
ip route 0.0.0.0 0.0.0.0 192.168.254.2
# REMOVE IP ROUTE
en
conf t
no ip route 172.16.100.0 255.255.255.0 192.168.254.2
#---------------------------------------
#remove IP on interface
en
conf t
int vlan X
no ip address
OR
no ip address 192.x.x.x 255.255.255.0
#remove VLAN
en
conf t
no int vlan 24

Backup / Restore switch config from/to TFTP Server
Download any free TFTP Server like Solarwind TFTP , install it to your local Laptop/Desktop. Start it as showed below …

Make sure that switch and your TFTP can can communicate with each other.
Now from switch issue following command to backup to TFTP server.
copy running-config tftp
It will ask you to enter IP of TFTP server, enter the IP address where TFTP is running, example your Laptop/Desktop where you install the TFTP server.

Switch config file is uploaded successfully & can be viewed in c:\TFTP-Root folder.
To restore this config file to your switch, you can download it from the TFTP using following commands
copy tftp running-config

it will ask for TFTP server IP  & file name, enter details
Address or name of remote host []? 101.11.11.161
Source filename []? switch-confg
Destination filename [running-config]?
Accessing tftp://101.11.11.161/switch-confg...
Loading switch-confg from 101.11.11.161 (via Vlan1): !
[OK - 3946 bytes]


Enable Logging to Remote SYS LOG server (liek syslog-ng)
login to switch terminal, and issue
logging 101.11.11.240

# to test log sending to log server
send log Hello World


Adding NTP client setting in Cisco Switch to synchronize time from external source
enable
configure terminal
#I am using Windows Dmoain Controller as NTP
ntp server 10.1.1.5
end
show ntp associations

CISCO 3850 Short Notes:
Our company acquired few 3850 series switches in March 2018. It comes with USB Console cable. First download the USB port driver from my google drive or Cisco portal.
https://drive.google.com/drive/folders/0B8B_P2ljEc2xcEdkd2ttV1ZmNFU
and then connect USB port in switch front USB cable. now using hyper terminal connect with it using

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

Once you get it you can use its first time setup to add all the config you required.
Enable HTTP authentication for Cisco Network Assistant & WEB GUI
I used following command to setup account so that I can login to Cisco web gui.
ip http authentication enable

Upgrade Firmware of Cisco 3850 24T-S (INSTALL MODE) by copying FW from TFTP to Switch Flash Directory
Read these first on BUNDLE vs INSTALL mode.
http://blog.qsolved.com/2014/02/what-are-methods-to-boot-and-run-ios-xe.html
http://wannabelab.blogspot.com/2015/09/cisco-catalyst-3650-ios-recovery-via-usb.html
Before Upgrading Firmware , I had following software version for new Cisco 3850 24T-S switch.
show version | b SW
-------------
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 2 32 WS-C3850-24T 16.3.5b CAT3K_CAA-UNIVERSALK9 INSTALL
Having tftp server and uploading the FW to tftp will give more leverage of doing various luxuries. download the switch upgraded iso and upload it to TFTP root folder.
Connect to switch by ssh/telnet or by console and issue following command
copy tftp: flash:

Address or name of remote host []? 192.168.0.1

Source file name []? cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin

Destination file name []? cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin
After some minutes the new IOS will be downloaded to flash dir.
# Switch to enable mode
en

#Issue command to upgrade to new firmware we just downloaded in above steps

request platform software package install switch all file flash:cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin

# Switch will now start the upgrade processing ...--- Starting install local lock acquisition on switch 1 ---
Finished install local lock acquisition on switch 1Expanding image file: flash:cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin
[1]: Expanding file
[1]: Finished expanding all-in-one software package in switch 1
SUCCESS: Finished expanding all-in-one software package.
[1]: Performing install
SUCCESS: install Finished
[1]: install package(s) on switch 1
--- Starting list of software package changes ---
Old files list:
Removed cat3k_caa-guestshell.16.03.05b.SPA.pkg
Removed cat3k_caa-rpbase.16.03.05b.SPA.pkg
Removed cat3k_caa-rpcore.16.03.05b.SPA.pkg
Removed cat3k_caa-srdriver.16.03.05b.SPA.pkg
Removed cat3k_caa-wcm.16.03.05b.SPA.pkg
Removed cat3k_caa-webui.16.03.05b.SPA.pkg
New files list:
Added cat3k_caa-base.SPA.03.06.08E.pkg
Added cat3k_caa-drivers.SPA.03.06.08E.pkg
Added cat3k_caa-infra.SPA.03.06.08E.pkg
Added cat3k_caa-iosd-universalk9.SPA.152-2.E8.pkg
Added cat3k_caa-platform.SPA.03.06.08E.pkg
Added cat3k_caa-wcm.SPA.10.2.180.0.pkg
Finished list of software package changes
SUCCESS: Software provisioned. New software will load on reboot.
[1]: Finished install successful on switch 1
Checking status of install on [1]
[1]: Finished install in switch 1
SUCCESS: Finished install: Success on [1]
Now issue reload command to restart/reload the new config.
reload
System configuration has been modified. Save? [yes/no]: yes
Continue to reboot.
After the upgrade I have now this.
Switch>show version | b SW
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24T 03.06.08E cat3k_caa-universalk9 INSTALLConfiguration register is 0x102
 

Enable SSH Timeout Value
#For 60 minutes timeout value for ssh session

en
conf t
line vty 0 4
# 1 Hour Time out value for ssh session
exec-timeout 60

Enable NTP Server in Cisco Switch
en
show clock
conf t
# If you are using EXTERNAL NTP server, then make sure you have defined default gateway and internet is accessible.
# ip default-gateway 101.11.11.36
#Add NTP Server
ntp server 92.223.73.5
#Enable NTP Logging if required
ntp logging
clock timezone PST +5
service timestamps log datetime localtime
- Disable NTP Logging if required
no ntp logging


Show LOG’s time in local timezone format
en
conf t
# GMT time-zone for +5
clock timezone PST +5
service timestamps log datetime localtime

Enable SNMP in Cisco Switch
en
conf t
snmp-server community public
exit
wr

Upgrade Cisco 3560 (WS-C3560G-24PS-S) Firmware
First download right firmware & upload it to some TFTP Server, then login to switch and issue following via ssh/telent … (it works quick, BUT this is risky method)
show boot
delete flash:c3560-ipbasek9-mz.122-55.SE11.bin
copy tftp://10.1.1.1/c3560-ipbasek9-mz.150-2.SE11.bin flash:c3560-ipbasek9-mz.150-2.SE11.bin
# CONFIRM & once its done copying , then issue reload command as below ...
reload


ERROR: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk Gi
After installing new cisco switches (3850) in data center , some of up-links ports to other switches were getting disabled and receiving below error.
ERROR: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk Gi
I had to make all uplink ports in TRUNK mode on both ends of switches & te problem solved right away.
Detail can be found here …
https://community.spiceworks.com/topic/2143496-cisco-3850-spantree-7-recv_1q_non_trunk-received-802-1q-bpdu-on-non-trunk-gi

Console / Terminal / PUTTY settings for SERIAL connectivity

For 3750G Switch / Serial Speed: 115200
For 3850 / 3560G Switch / Serial Speed: 9600
For 2960G 8 port switch (WS-C2960G-8TC-L) / Serial Speed: 9600


Cisco SG Seres switches Commands
To enable port which was disabled dueto loopback detection
errdisable recovery reset interface GigabitEthernet25
show mac address-table count
show cpu utilization
sh cpu input rate
show arp
show services tcp-udp
show log file
Cisco Classic Series switches commands
show processes memory sorted
show ver | in IOS
sh process cpu
sh process cpu sorted

show spanning-tree detail
show spanning-tree summ
show spanning-tree active
show spanning-tree root
show spanning-tree inconsistentports
debug spanning-tree events

#To view which port is sending most port status changes TCN etc
show spanning-tree detail | in ieee|from|occur|is exec
Copy running config to remote TFP Server

#CISCO CLASSIC SERIES
show running-config | redirect tftp://10.1.1.2/cisco_sw/sw_mkt_101.1.1.6.txt

SG SERIES
copy running-config tftp://10.1.1.2/cisco_sw/sw_mkt_10.1.1.6.txt
Copy daily backup to TFTP Server via KRON
en
conf t
kron policy-list daily-backup
cli show startup-config | redirect tftp://10.1.1.2/cisco_sw/sw_noc_10.1.1.6.txt
exit
kron occurrence daily-backup at 00:00 recurring
policy-list daily-backup
exit
exit
wr

Error opening tftp messages after reboot
You can disable it with the
no service config
Enable SSH
enable
conf t
line vty 0 4
transport input ssh
login local
password 0 MYPASSWORD
line console 0
logging synchronous
login local
enable secret MYPASSWORD
service password-encryption

Quick Notes on configuring new switch – (personnel version for reference purposes) – Cisco 2960-48-Ports – May 2021

en
conf t
hostname sw2-nob-2nd-floor

# Enable SSH
ip domain-name ZAIB
crypto key generate rsa

ip ssh version 2
# HTTP idle timeout
ip http session-idle-timeout 10
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption

login local
line console 0
no password swset4me
no password MYPASSWORD*$
login local
line vty 0 15
no privilege level 15
no password swset4me
no password MYPASSWORD*$
no login local
line vty 0 4
no privilege level 15
transport input ssh
login local
line aux 0
no exec
clock timezone PST +5
service timestamps log datetime localtime

#Disable TELNET & enable SSH only
line vty 0 15
transport input ssh
#To set idle timeout for session in switch
line con 0
exec-timeout 10
exit

service password-encryption
interface Vlan1
ip address 10.11.12.251 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip http server
ip http secure-server
ip http banner
ip http access-class 10
ip http secure-server
ip http session-idle-timeout 10
no ip domain-lookup
no ip bootp server
ip dhcp bootp ignore
no service dhcp
vtp mode transparent
vtp password MYPASSWORD*$

no username cisco privilege 15 password
username cisco privilege 15 secret MYPASSWORD*$
aaa new-model
aaa authentication login default local
no enable password
enable secret MYPASSWORD*$

kron occurrence daily-backup at 0:00 recurring
policy-list daily-backup
!
kron policy-list daily-backup
cli show startup-config | redirect tftp://10.11.12.38/cisco_sw/sw_10.11.12.251.txt
exit

!
logging host 10.11.12.38
access-list 10 remark Permit Admin Subnet to access particular services on this switch- ACL by zaib
access-list 10 permit 10.11.11.0 0.0.0.255 log
access-list 10 permit 10.11.12.0 0.0.0.255 log
access-list 10 deny any log

line vty 0 4
transport input ssh
access-class 10 in
exec-timeout 10

!
!
snmp-server community $SNMP&% RO 10
snmp mib flash cache
!
!
banner exec ^C
EXEC note: Login Successful.
Welcome to ZAIB Network. Unauthorized access/usage of this device is prohibited!
^C
banner login ^C
EXEC note: Unauthorized access/usage of this device is prohibited!
^C

banner motd ^C
MOTD Note: Login Successful.
Welcome to ZAIB Network. Unauthorized access/usage of this device is prohibited!
^C
!

line con 0
logging synchronous
line vty 0 4
access-class 10 in
length 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp server 10.11.11.5
!
interface range GigabitEthernet1/0/1-44
description user_port
switchport mode access
spanning-tree portfast edge
spanning-tree bpduguard enable
interface range GigabitEthernet1/0/45-48
description Trunk_1G
switchport mode trunk
interface range GigabitEthernet1/0/49-50
description Trunk_1G
switchport mode trunk
interface range Te1/0/1-2
description Trunk_10G
switchport mode trunk
exit


LOGGING [spanning tree]
#ENABLE SPANNING TREE EVENTS
debug spanning-tree event
show spanning-tree mst configuration
Show spanning-tree detail
show spanning-tree detail | in ieee|from|occur|is exec
show spanning-tree active
show spanning-tree inconsistentports
SHOW LOGGING related
sh log | inc Mar 23
sh log | begin Mar 23
SHOW IP against MAC ADDRESS in switch (L3 or with gateway)
sh mac address-table address 00:10:9B:9D:83:E1
1 0010.9b9d.83e1 DYNAMIC Te1/0/1

>>>****> sh ip arp 0010.9b9d.83e1

Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.11.11.3 4 0010.9b9d.83e1 ARPA Vlan1

Transceiver Optimal values
CMD to show SFP Transceiver values
sh int gi0/28 transceiver detail
> gi0/28 is SFP interface with sfp module
An ideal value for TX/RX

Transmitter power is -6dBm, but it could range between -1 and -7 dBm.
Receiver power, the value could range between -1 and -9 dBm

At times, the actual transmission may not happen, and the transmission power may fall below -25 or even -30 dBm. This may happen due to electromagnetic interference or heightened noise levels at the receiver end.
The other scenario may be transmission power falling below -10 or even up to -15dBm. This may imply signal loss, faulty connector or cable, splicing issue.
Example of one good working 10g SFP+ connectivity
sw1-1st-floor#sh int Te1/0/1 trans deta
.


Find Reason Of err-disabled ports
By DEFAULT, The interface is put into the err disabled state if it flaps more than five times in 10 seconds.
Show error disabled interfaces
show interfaces status err-disabled

Find Flap-Values from Switch
    show errdisable flap-values
Example:
MySwitch#     show errdisable flap-values
ErrDisable Reason Flaps Time (sec)
----------------- ------ ----------
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10
Other related useful CMD’s 
Find Following Blog for more use full CMD’s

Switch BUFFER logging to store logs
To increase logging buffer size, you may use
logging buffered 262144
above cmd will increase logging buffer to 2 MB. at my switch, it showed 3 days of logging.

Regard’s

Syed Jahanzaib