Catalyst 6500 Series Cisco IOS Software Configuration Guide, 12.1E - Configuring the Switch for the First Time [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Configuring the Switch for the First Time

Default Configuration

Configuring the Switch

Using the Setup Facility or the setup Command

Setup Overview

Configuring the Global Parameters

Configuring Interfaces

Using Configuration Mode

Checking the Running Configuration Before Saving

Saving the Running Configuration Settings

Reviewing the Configuration

Configuring a Default Gateway

Configuring a Static Route

Configuring a BOOTP Server

Protecting Access to Privileged EXEC Commands

Setting or Changing a Static Enable Password

Using the enable password and enable secret Commands

Setting or Changing a Line Password

Setting TACACS+ Password Protection for Privileged EXEC Mode

Encrypting Passwords

Configuring Multiple Privilege Levels

Setting the Privilege Level for a Command

Changing the Default Privilege Level for Lines

Logging In to a Privilege Level

Exiting a Privilege Level

Displaying the Password, Access Level, and Privilege Level Configuration

Recovering a Lost Enable Password

Modifying the Supervisor Engine Startup Configuration

Understanding the Supervisor Engine Boot Configuration

Understanding the Supervisor Engine Boot Process

Understanding the ROM Monitor

Configuring the Software Configuration Register

Modifying the Boot Field and Using the boot Command

Modifying the Boot Field

Verifying the Configuration Register Setting

Specifying the Startup System Image

Understanding Flash Memory

Flash Memory Features

Security Features

Flash Memory Configuration Process

BOOTLDR Environment Variable

CONFIG_FILE Environment Variable

Controlling Environment Variables

Setting the BOOTLDR Environment Variable

Configuring the Switch for the First Time

This chapter contains information about how to initially configure the Catalyst 6500 series switch, which supplements the administration information and procedures in these publications:

•Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.1, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/index.htm

•Cisco IOS Configuration Fundamentals Configuration Command Reference, Release 12.1, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_r/index.htm

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Cisco IOS Command Reference publication and the Release 12.1 publications at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/index.htm

This chapter consists of these sections:

•Default Configuration

•Configuring the Switch

•Protecting Access to Privileged EXEC Commands

•Recovering a Lost Enable Password

•Modifying the Supervisor Engine Startup Configuration

Default Configuration

Table 3-1 shows the default configuration.

Table 3-1 Default Configuration

Feature

Default Value

Administrative connection

Normal mode

Global information

No value for the following:

•System name

•System contact

•Location

System clock

No value for system clock time

Passwords

No passwords configured for normal mode or enable mode (press the Return key)

Prompt

Router>

Configuring the Switch

These sections describe how to configure the switch:

•Using the Setup Facility or the setup Command

•Using Configuration Mode

•Checking the Running Configuration Before Saving

•Saving the Running Configuration Settings

•Reviewing the Configuration

•Configuring a Default Gateway

•Configuring a Static Route

•Configuring a BOOTP Server

Note With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command.

Using the Setup Facility or the setup Command

These sections describe the setup facility and the setup command:

•Setup Overview

•Configuring the Global Parameters

•Configuring Interfaces

Setup Overview

At initial startup, the switch automatically defaults to the setup facility. (The setup command facility functions exactly the same as a completely unconfigured system functions when you first boot it up.) You can run the setup facility by entering the setup command at the enable prompt (#).

When you enter the setup command, current system configuration defaults are displayed in square brackets [ ] as you move through the setup command process and are queried by the system to make changes.

For example, you will see this display when you use the setup facility:
Configuring interface FastEtherent3/1:
  Is this interface in use?: yes
  Configure IP on this interface?: yes
When you use the setup command, you see this display:
Configuring interface FastEthernet4/1:
  Is this interface in use?[yes]: yes
  Configure IP on this interface?[yes]: yes
Configuring the Global Parameters

When you first start the setup facility or enter the setup command, you are queried by the system to configure the global parameters, which are used for controlling system-wide settings.

To boot the switch and enter the global parameters, follow these steps:

Step 1 Connect a console terminal to the console interface on the supervisor engine, and then boot the system to the user EXEC prompt (Router>).

The following display appears after you boot the Catalyst 6500 series switch (depending on your configuration, your display might not exactly match the example):
System Bootstrap, Version 6.1(2)
Copyright (c) 1994-2000 by cisco Systems, Inc.
c6k_sup2 processor with 131072 Kbytes of main memory
rommon 1 > boot slot0:c6sup22-jsv-mz.121-5c.EX.bin
Self decompressing the image : #################################################
################################################################################
################################################################################
################################################################################
################################################################################
 [OK]
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
Cisco Internetwork Operating System Software 
IOS (tm) c6sup2_sp Software (c6sup2_sp-SPV-M), Version 12.1(5c)EX, EARLY DEPLOYM
ENT RELEASE SOFTWARE (fc1)
Synced to mainline version: 12.1(5c)
TAC:Home:Software:Ios General:CiscoIOSRoadmap:12.1
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Wed 28-Mar-01 18:36 by hqluong
Image text-base: 0x30020980, data-base: 0x306B8000
Start as Primary processor
00:00:05: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging out
put.
00:00:03: Currently running ROMMON from S (Gold) region
00:00:05: %OIR-6-CONSOLE: Changing console ownership to route processor
System Bootstrap, Version 12.1(3r)E2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
Cat6k-MSFC2 platform with 131072 Kbytes of main memory
rommon 1 > boot
Self decompressing the image : #################################################
################################################################################
## [OK]
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
Cisco Internetwork Operating System Software 
IOS (tm) MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(3a)E4, EARLY DEPLOYMENT R
ELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Sat 14-Oct-00 05:33 by eaarmas
Image text-base: 0x30008980, data-base: 0x303B6000
cisco Cat6k-MSFC2 (R7000) processor with 114688K/16384K bytes of memory.
Processor board ID SAD04430J9K
R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache
Last reset from power-on
X.25 software, Version 3.0.0.
509K bytes of non-volatile configuration memory.
16384K bytes of Flash internal SIMM (Sector size 512K).
Press RETURN to get started!
Note The first two sections of the configuration script (the banner and the installed hardware) appear only at initial system startup. On subsequent uses of the setup command facility, the setup script begins with the following System Configuration Dialog.
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: y
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Note The examples in this section are intended as examples only. Your configuration might look differently depending on your system configuration.

Step 2 Enter yes or press Return when asked if you want to enter the configuration dialog and if you want to see the current interface summary. Press Return to accept the default (yes):
Would you like to enter the initial configuration dialog? [yes]:
First, would you like to see the current interface summary? [yes]:
This example of a yes response (displayed during the setup facility) shows a switch at first-time startup; that is, nothing has been configured:
Current interface summary
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES TFTP   administratively down down
GigabitEthernet1/1         unassigned      YES TFTP   administratively down down
GigabitEthernet1/2         unassigned      YES TFTP   administratively down down
GigabitEthernet3/1         unassigned      YES TFTP   administratively down down
GigabitEthernet3/2         unassigned      YES TFTP   administratively down down
GigabitEthernet3/3         unassigned      YES TFTP   administratively down down
GigabitEthernet3/4         unassigned      YES TFTP   administratively down down
GigabitEthernet3/5         unassigned      YES TFTP   administratively down down
GigabitEthernet3/6         unassigned      YES TFTP   administratively down down
GigabitEthernet3/7         unassigned      YES TFTP   administratively down down
GigabitEthernet3/8         unassigned      YES TFTP   administratively down down
(Additional displayed text omitted from this example.)
This example of a yes response (displayed during the setup command facility) shows a switch with some interfaces already configured:
Current interface summary
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES TFTP   administratively down down
GigabitEthernet1/1         172.20.52.34    YES NVRAM  up                    up
GigabitEthernet1/2         unassigned      YES TFTP   administratively down down
GigabitEthernet3/1         unassigned      YES TFTP   administratively down down
GigabitEthernet3/2         unassigned      YES TFTP   administratively down down
GigabitEthernet3/3         unassigned      YES TFTP   administratively down down
GigabitEthernet3/4         unassigned      YES TFTP   administratively down down
GigabitEthernet3/5         unassigned      YES TFTP   administratively down down
GigabitEthernet3/6         unassigned      YES TFTP   administratively down down
GigabitEthernet3/7         unassigned      YES TFTP   administratively down down
GigabitEthernet3/8         unassigned      YES TFTP   administratively down down
<...output truncated...>
Step 3 Choose which protocols to support on your interfaces. On IP installations only, you can accept the default values for most of the questions.

A typical minimal configuration using IP follows and continues through Step 8:
Configuring global parameters: 
  Enter host name [Router]: Router
Step 4 Enter the enable secret password when the following is displayed (remember this password for future reference):
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: barney
Step 5 Enter the enable password when the following is displayed (remember this password for future reference):
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: wilma
The commands available at the user EXEC level are a subset of those available at the privileged EXEC level. Because many privileged EXEC commands are used to set operating parameters, you should protect these commands with passwords to prevent unauthorized use.

You must enter the correct password to gain access to privileged EXEC commands. When you are running from the boot ROM monitor, the enable password might be the correct one to use, depending on your boot ROM level.

The enable and enable secret passwords need to be different for effective security. You can enter the same password for both enable and enable secret during the setup script, but you receive a warning message indicating that you should enter a different password.

Note An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters; an enable password can contain any number of uppercase and lowercase alphanumeric characters. In both cases, a number cannot be the first character. Spaces are also valid password characters; for example, "two words" is a valid password. Leading spaces are ignored; trailing spaces are recognized.

Step 6 Enter the virtual terminal password when the following is displayed (remember this password for future reference):
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: bambam
Step 7 In most cases you will use IP routing. If so, you must also select an interior routing protocol, for example, the Enhanced Interior Gateway Routing Protocol (EIGRP).

Enter yes (the default) or press Return to configure IP, and then select EIGRP:
Configure IP? [yes]:
Configure EIGRP routing? [yes]:
Your IGRP autonomous system number [1]: 301
Step 8 Enter yes or no to accept or refuse SNMP management:
Configure SNMP Network Management? [yes]:
Community string [public]: 
For complete SNMP information and procedures, refer to these publications:

•Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.1, "Cisco IOS System Management," "Configuring SNMP Support," at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/fcprt3/fcd301.htm

•Cisco IOS Configuration Fundamentals Configuration Command Reference, Release 12.1, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_r/index.htm

To provide a review of what you have done, a display similar to the following appears and lists all of the configuration parameters you selected in Steps 3 through 8. These parameters and their defaults are shown in the order in which they appeared on your console terminal:
The following configuration command script was created:
hostname router
enable secret 5 $1$S3Lx$uiTYg2UrFK1U0dgWdjvxw.
enable password lab
line vty 0 4
password lab
no snmp-server
!
ip routing eigrp 301
!
interface Vlan1
shutdown
no ip address
!
interface GigabitEthernet1/1
shutdown
no ip address
!
interface GigabitEthernet1/2
shutdown
no ip address
!
.
<...output truncated...>
.!
end
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]: 2
% You can enter the setup, by typing setup at IOS command prompt
Router#
This completes the procedure on how to configure global parameters. The setup facility continues with the process to configure interfaces in the next section "Configuring Interfaces."

Configuring Interfaces

This section provides steps for configuring installed interfaces (using the setup facility or setup command facility) to allow communication over your external networks. To configure the interface parameters, you need your interface network addresses, subnet mask information, and which protocols you want to configure. (For additional interface configuration information on each of the modules available, refer to the individual configuration notes that shipped with your modules.)

Note The examples in this section are intended as examples only. Your configuration might look differently depending on your system configuration.

To configure interfaces, follow these steps:

Step 1 At the prompt for the Gigabit Ethernet interface configuration, enter the appropriate responses for your requirements, using your own address and subnet mask:
Do you want to configure GigabitEthernet1/1 interface? [no]: yes
  Configure IP on this interface? [no]: yes
    IP address for this interface: 172.20.52.34
    Subnet mask for this interface [255.255.0.0] : 255.255.255.224
    Class B network is 172.20.0.0, 27 subnet bits; mask is /27
Step 2 At the prompt for all other interface types, enter the appropriate responses for your requirements:
Do you want to configure FastEthernet5/1  interface? [no]: y
  Configure IP on this interface? [no]: y
    IP address for this interface: 172.20.52.98
    Subnet mask for this interface [255.255.0.0] : 255.255.255.248
    Class B network is 172.20.0.0, 29 subnet bits; mask is /29
Repeat this step for each interface you need to configure. Proceed to Step 3 to check and verify your configuration parameters.

When you reach and respond to the configuration dialog for the last installed interface, your interface configuration is complete.

Step 3 Check and verify the entire list of configuration parameters, which should display on your console terminal and end with the following query:
Use this configuration? [yes/no]:
A no response places you back at the enable prompt (#). You will need to reenter the setup command to reenter your configuration. A yes response saves the running configuration to NVRAM as follows:
Use this configuration? [yes/no]: yes
[OK]
Use the enabled mode `configure' command to modify this configuration.
Press RETURN to get started!
After you press the Return key, this prompt appears:
Router>
This completes the procedures for configuring global parameters and interface parameters in your system. Your interfaces are now available for limited use.

If you want to modify the currently saved configuration parameters after the initial configuration, enter the setup command. To perform more complex configurations, enter configuration mode and use the configure command. Check the current state of the switch using the show version command, which displays the software version and the interfaces, as follows:
Router# show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E1, EARLY DEPLOYM)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 06-Nov-02 13:57 by eaarmas
Image text-base: 0x40008C00, data-base: 0x41A72000
ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E1, EARLY DEPLOYM)
Router uptime is 4 hours, 22 minutes
Time since Router switched to active is 4 hours, 22 minutes
System returned to ROM by power-on (SP by power-on)
System image file is "sup-bootflash:c6sup22-js-mz.121-13.E1"
cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory.
Processor board ID SAD06210067
R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
4 Virtual Ethernet/IEEE 802.3  interface(s)
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
16384K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Router# 
For detailed interface configuration information, refer to the Cisco IOS Interface Configuration Guide at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c/index.htm

Using Configuration Mode

If you prefer not to use the setup facility, you can configure the switch from configuration mode as follows:

Step 1 Connect a console terminal to the console interface of your supervisor engine.

Step 2 When you are asked if you want to enter the initial dialog, answer no to enter the normal operating mode as follows:
Would you like to enter the initial dialog? [yes]: no
Step 3 After a few seconds you will see the user EXEC prompt (Router>). Type enable to enter enable mode:
Router> enable
Note Configuration changes can only be made in enable mode.

The prompt will change to the privileged EXEC prompt (#) as follows:
Router#
Step 4 At the prompt (#), enter the configure terminal command to enter configuration mode as follows:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
At the prompt, enter the interface type slot/interface command to enter interface configuration mode as follows:
Router(config)# interface fastethernet 5/1
Router(config-if)# 
In either of these configuration modes, you can enter any changes to the configuration. Enter the end command to exit configuration mode.

Step 5 Save your settings. (See the "Saving the Running Configuration Settings" section.)

Your switch is now minimally configured and can boot with the configuration you entered. To see a list of the configuration commands, enter ? at the prompt or press the help key in configuration mode.

Checking the Running Configuration Before Saving

You can check the configuration settings you entered or changes you made by entering the show running-config command at the privileged EXEC prompt (#) as follows:
Router# show running-config
Building configuration...
Current configuration:
Current configuration : 3441 bytes
!
version 12.1
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Router
!
boot buffersize 522200
boot system flash slot0:c6sup22-jsv-mz.121-5c.EX.bin
boot bootldr bootflash:c6msfc2-boot-mz.121-3a.E4
enable password lab
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
no ip finger
!
cns event-service server
!
<...output truncated...>
!
interface FastEthernet3/3
 ip address 172.20.52.19 255.255.255.224
!
<...output truncated...>
!
line con 0
 exec-timeout 0 0
 transport input none
line vty 0 4
 exec-timeout 0 0
 password lab
 login
 transport input lat pad mop telnet rlogin udptn nasi
!
end
Router#
Saving the Running Configuration Settings

To store the configuration or changes to your startup configuration in NVRAM, enter the copy running-config startup-config command at the privileged EXEC prompt (#) as follows:
Router# copy running-config startup-config
This command saves the configuration settings that you created in configuration mode. If you fail to do this step, your configuration will be lost the next time you reload the system.

Reviewing the Configuration

To display information stored in NVRAM, enter the show startup-config EXEC command. The display should be similar to the display from the show running-config EXEC command.

Configuring a Default Gateway

Note The switch uses the default gateway only when it is not configured with a routing protocol.

To send data to another subnet when the switch is not configured with a routing protocol, configure a default gateway. The default gateway must be the IP address of an interface on a router in the same subnet.

To configure a default gateway, perform this task:

Command

Purpose

Step 1

Router(config)# ip default-gateway A.B.C.D

Configures a default gateway.

Step 2

Router# show ip route

Verifies that the default gateway appears correctly in the IP routing table.

This example shows how to configure a default gateway and how to verify the configuration:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip default-gateway 172.20.52.35
Router(config)# end
3d17h: %SYS-5-CONFIG_I: Configured from console by console
Router# show ip route
Default gateway is 172.20.52.35
Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty
Router# 
Configuring a Static Route

If your Telnet station or SNMP network management workstation is on a different network from your switch and a routing protocol has not been configured, you might need to add a static routing table entry for the network where your end station is located.

To configure a static route, perform this task:

Command

Purpose

Step 1

Router(config)# ip route dest_IP_address mask {forwarding_IP | vlan vlan_ID}

Configures a static route.

Step 2

Router# show running-config

Verifies the static route configuration.

This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.10.5.10 on the switch with a subnet mask and IP address 172.20.3.35 of the forwarding router:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip route 171.10.5.10 255.255.255.255 172.20.3.35
Router(config)# end
Router#
This example shows how to use the show running-config command to confirm the configuration of the previously configured static route:
Router# show running-config
Building configuration...
.
<...output truncated...>
.
ip default-gateway 172.20.52.35
ip classless
ip route 171.10.5.10 255.255.255.255 172.20.3.35
no ip http server
!
line con 0
 transport input none
line vty 0 4
 exec-timeout 0 0
 password lab
 login
 transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end
Router#
This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.20.5.3 on the switch with subnet mask and connected over VLAN 1:
Router# configure terminal
Router(config)# ip route 171.20.5.3 255.255.255.255 vlan 1
Router(config)# end
Router# 
This example shows how to use the show running-config command to confirm the configuration of the previously configured static route:
Router# show running-config
Building configuration...
.
<...output truncated...>
.
ip default-gateway 172.20.52.35
ip classless
ip route 171.20.52.3 255.255.255.255 Vlan1
no ip http server
!
!
x25 host z
!
line con 0
 transport input none
line vty 0 4
 exec-timeout 0 0
 password lab
 login
 transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end
Router# 
Configuring a BOOTP Server

The Bootstrap Protocol (BOOTP) automatically assigns an IP address by adding the MAC and IP addresses of the interface to the BOOTP server configuration file. When the switch boots, it automatically retrieves the IP address from the BOOTP server.

The switch performs a BOOTP request only if the current IP address is set to 0.0.0.0. (This address is the default address for a new switch or a switch that has had its startup-config file cleared using the erase command.)

To allow your switch to retrieve its IP address from a BOOTP server, you must first determine the MAC address of the switch and add that MAC address to the BOOTP configuration file on the BOOTP server. To create a BOOTP server configuration file, follow these steps:

Step 1 Install the BOOTP server code on the workstation, if it is not already installed.

Step 2 Determine the MAC address from the label on the chassis.

Step 3 Add an entry in the BOOTP configuration file (usually /usr/etc/bootptab) for each switch. Press Return after each entry to create a blank line between each entry. See the example BOOTP configuration file that follows in Step 4.

Step 4 Enter the reload command to reboot and automatically request the IP address from the BOOTP server.

This example BOOTP configuration file shows the added entry:
# /etc/bootptab: database for bootp server (/etc/bootpd)
#
# Blank lines and lines beginning with '#' are ignored.
#
# Legend:
#
#       first field -- hostname
#                       (may be full domain name and probably should be)
#
#       hd -- home directory
#       bf -- bootfile
#       cs -- cookie servers
#       ds -- domain name servers
#       gw -- gateways
#       ha -- hardware address
#       ht -- hardware type
#       im -- impress servers
#       ip -- host IP address
#       lg -- log servers
#       lp -- LPR servers
#       ns -- IEN-116 name servers
#       rl -- resource location protocol servers
#       sm -- subnet mask
#       tc -- template host (points to similar host entry)
#       to -- time offset (seconds)
#       ts -- time servers
#
<information deleted>
#
#########################################################################
# Start of individual host entries
#########################################################################
Router:         tc=netcisco0:   ha=0000.0ca7.ce00:      ip=172.31.7.97:
dross:          tc=netcisco0:   ha=00000c000139:        ip=172.31.7.26:
<information deleted> 
Protecting Access to Privileged EXEC Commands

The following tasks provide a way to control access to the system configuration file and privileged EXEC commands:

•Setting or Changing a Static Enable Password

•Using the enable password and enable secret Commands

•Setting or Changing a Line Password

•Setting TACACS+ Password Protection for Privileged EXEC Mode

•Encrypting Passwords

•Configuring Multiple Privilege Levels

Setting or Changing a Static Enable Password

To set or change a static password that controls access to the privileged EXEC mode, perform this task:

Command

Purpose

Router(config)# enable password password

Sets a new password or changes an existing password for the privileged EXEC mode.

This example shows how to configure an enable password as "lab" at the privileged EXEC mode:
Router# configure terminal
Router(config)# enable password lab
Router(config)#
To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Using the enable password and enable secret Commands

To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands configure an encrypted password that you must enter to access enable mode (the default) or to access a specified privilege level. We recommend that you use the enable secret command.

If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

To configure the switch to require an enable password, perform either of these tasks:

Command

Purpose

Router(config)# enable password [level level] {password | encryption-type encrypted-password}

Establishes a password for the privileged EXEC mode.

Router(config)# enable secret [level level] {password | encryption-type encrypted-password}

Specifies a secret password, saved using a nonreversible encryption method. (If enable password and enable secret commands are both set, users must enter the enable secret password.)

Use either of these commands with the level option to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

If you enable the service password-encryption command, the password you enter is encrypted. When you display it with the more system:running-config command, it displays in encrypted form.

If you specify an encryption type, you must provide an encrypted password that you copy from another Catalyst 6500 series switch configuration.

Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. See the "Recovering a Lost Enable Password" section if you lose or forget your password.

To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Setting or Changing a Line Password

To set or change a password on a line, perform this task:

Command

Purpose

Router(config-line)# password password

Sets a new password or change an existing password for the privileged level.

To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Setting TACACS+ Password Protection for Privileged EXEC Mode

For complete information about TACACS+, refer to these publications:

•Cisco IOS Security Configuration Guide, Release 12.1, "Authentication, Authorization, and Accounting (AAA)," at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm

•Cisco IOS Security Command Reference, Release 12.1, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/index.htm

To set the TACACS+ protocol to determine whether or not a user can access privileged EXEC mode, perform this task:

Command

Purpose

Router(config)# enable use-tacacs

Sets the TACACS-style user ID and password-checking mechanism for the privileged EXEC mode.

When you set TACACS password protection at the privileged EXEC mode, the enable EXEC command prompts for both a new username and a password. This information is then sent to the TACACS+ server for authentication. If you are using the extended TACACS+, it also sends any existing UNIX user identification code to the TACACS+ server.

Caution If you enter the enable use-tacacs command, you must also enter tacacs-server authenticate enable, or you are locked out of the privileged EXEC mode.

Note When used without extended TACACS, the enable use-tacacs command allows anyone with a valid username and password to access the privileged EXEC mode, creating a potential security problem. This problem occurs because the switch cannot tell the difference between a query resulting from entering the enable command and an attempt to log in without extended TACACS.

Encrypting Passwords

Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.

To configure the Cisco IOS software to encrypt passwords, perform this task:

Command

Purpose

Router(config)# service password-encryption

Encrypts a password.

Encryption occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP) neighbor passwords. The service password-encryption command keeps unauthorized individuals from viewing your password in your configuration file.

Caution The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures.

Although you cannot recover a lost encrypted password (that is, you cannot get the original password back), you can regain control of the switch after you lose or forget the encrypted password. See the "Recovering a Lost Enable Password" section if you lose or forget your password.

To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Configuring Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password widely. If you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to more restricted users.

These tasks describe how to configure additional levels of security:

•Setting the Privilege Level for a Command

•Changing the Default Privilege Level for Lines

•Logging In to a Privilege Level

•Exiting a Privilege Level

•Displaying the Password, Access Level, and Privilege Level Configuration

Setting the Privilege Level for a Command

To set the privilege level for a command, perform this task:

Command

Purpose

Step 1

Router(config)# privilege mode level level command

Sets the privilege level for a command.

Step 2

Router(config)# enable password level level [encryption-type] password

Specifies the enable password for a privilege level.

To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.

Changing the Default Privilege Level for Lines

To change the default privilege level for a given line or a group of lines, perform this task:

Command

Purpose

Router(config-line)# privilege level level

Changes the default privilege level for the line.

To display the password or access level configuration, see the "Displaying the Password, Access Level, and Privilege Level Configuration" section.