Archives for May 2013

I am just making a list of FREE Cisco Practice exams that should help you on the way to get your CCENT (ICND1) and CCNA (ICND1 & ICND2).

I am going to list them in two categories

1. Cisco Certified
2. Not-Cisco Certified

Hopefully you will benefit from these practice tests as much as I have…

Cisco Certified FREE exams

1. FREE ICND1 test exam
2. FREE ICND2 test exam
3. FREE CCNA test exam

Non-Cisco Certified FREE exams

• Stay tuned for more links

First off… CDP stands for “Cisco Discovery Protocol”. It’s a protocol that… You guessed it.. Discovers other connected Cisco devices on your network.

There are several CDP commands and their output can look similar or completely different to other CDP commands.

On a Cisco exam you might be asked something like:

• “Which of the following commands could tell you information about IOS” or
• “Which of the following CDP command could identify a neighbor’s model of hardware”
• “What Port does switch “s1” connect to switch “s3”.

To explain CDP I will be using Packet Tracer… Here is my Map:

A couple of things to also give you…

• s1 – Port fa0/24 is connected to “fa0/24 on s2”.
• s1 – Port fa0/23 is connected to “fa0/1 on s3”.
• s2 – Port fa0/23 is connected to “fa0/2” on s3”

Look at s1’s perspective:

First we’ll look at both the “show cdp” and “show cdp neighbors” commands:

If we didn’t already know the names of the switches we now do. It’s listed under “Device ID” column. Also please note under Port ID you can see what port the switch connects to on the neighbor switch.

Next command will show all switches connected to a single switch. The command is “show cdp neighbors detail”.

A command that gives similar output as the last one is: “show cdp entry s2”. This command though only shows the detailed info for switch you select.

Cisco recommends that you disabled CDP on any port that doesn’t connect to another Cisco device.

To completely disable/re-enable CDP on a switch run:

• no cdp run (gloabal config) (disable for whole switch)
• cdp run (global Config) (enable for whole switch)

To disable and enable the cdp on switch per interface you need to run these commands:

• no cdp enable (interface subcommand)
• cdp enable (interface subcommand)

Hope this helps explain CDP and what some of the information CDP can give you depending on what CDP command you use.

By default Cisco has made it’s switches essentially plug and play. This plug and play mentality actually leaves some pretty large security concerns on the switch. There are 3 very easy ways to secure ports on a Cisco switch. They are:

1. Administrative disable the interface using the shutdown interface subcommand. IF you just shutdown the interface, the exposure goes away. The next two commands will help just encase someone re-enables the port.
2. Prevent VLAN Trunking. You can do this by running the switchport mode access interface subcommand.
3. Assign the port to an un-used VLAN using the switchport access vlan number subcommand.

I know seeing the workflow in an example can help as well. I am going to be working on switch “s1”. I will take fa0/24 and secure the port. I am going to make my own new VLAN that all new ports that need to be secured will be apart of. This VLAN will be VLAN 4 and I will name it “SECURED-VLAN”.

Let’s verify it’s in the proper VLAN using the “show vlan brief” command:

Hopefully this helps you secure un-used ports on a Cisco Switch!

There are three main ways of locking down your Cisco switch. Before going into what how to setup the passwords it probably a good idea to talk about the 3 types of passwords. The names pretty much tells you what the password is used for.

1. Console – As you should know in order to connect to the console you need to connect the console cable from your laptop into the back of the switch. You need to run a terminal program like Putty that will give you access to the switches text console.
2. VTY – By default all cisco switches can not be accessed remotely via a terminal program like PuTTy. There are two methods of connecting remotely either terminal connection or a Secure Shell (SSH) connection. The main difference between the two is one is not-encrypted and the other one is.
3. Enable – This is a command that allows you to start programming the switch. This can be setup with a clear text password, encrypted password that is easy to break or a MD5 encrypted password that is almost impossible to break.

Now that you know where and what you can password protect, the next part is to configure these passwords. Depending on the password “type” there may be a few ways of creating a password. Please note that even if you give the different items the same password they are considered different. If a password were to be changed on one, it would not effect the others.

Console Password

In order to setup the console password you will need to enter these lines.

• enable
• conf t
• line console 0 <- the “0” is a zero.
• password consolepassword <- “consolepassword” is the password I specified. please change it to whatever you want.
• login <- If you do not tell the switch “login” it will not prompt you for a password at login.

VTY password

In order to setup the VTY password you will need to enter these lines.

• enable
• conf t
• line vty 0 15 <- the “0” is a zero.
• password vtypassword <- “vtypassword” is the password I specified. please change it to whatever you want.
• login <- If you do not tell the switch “login” it will not prompt you for a password when you log into via telnet or SSH client.

Enable password

In order to setup the Enable password you will need to enter these lines.

This password is stored completely in clear text in the config file.

• enable
• conf t
• enable password enablepassword <- “enablepassword” is the password I specified. please change it to whatever you want.
• service password-encryption <- This step is optional. It encrypts all current and future passwords with a very easy de-cryption algorithem.

It’s a better to idea to use the enable secret password. To use the MD5 encryption you need to run this command. Please note that if you’ve setup the “enable password” AND “enable secret”, The password used in “enable secret” will always be used. It’s also good to note that the two passwords can be different.

• enable
• conf t
• enable secret secretpassword <- “enablepassword” is the password I specified. please change it to whatever you want.

Here’s a screenshot where I enable all the passwords in one terminal session:

At this point it’s good to check out the running configuration. To do this type:

Please notice how the secret password doesn’t reflect what you’ve typed. Please also note how the enable password is in clear text. I’m going to remind you if you want to encrypt the “enable password” you would need to type: service password-encryption. Please NOTE that this command doesn’t do anything to the secret password. Ie. it doesn’t encrypt the already encrypted password.

This is what would look like after you have typed “service password-encryption”

Hope this helps 🙂

Packet Tracer allows you to emulate plugging in a console cable with a computer and logging in. To emulate connecting to a console with Packet Tracer you will need a couple of things dropped onto your packet tracer document:

1. Switch (2960)
2. Laptop
3. Console cable running from the laptop (RS 232) to the switch (Console port)

Here are the steps to connect and configure everything

Click the console cable.

Click the Laptop and select the port RS 232.

Then select the console port on the switch:

Open the laptop and go to terminal:

Keep the default settings:

Voila… You’re in 🙂