It didn't add the warning about all access is logged or the info between ip subnet-zero and not file verify auto. Will this show up once I place it on the network? I entered all of this info when I set the switch up....

DJ

It may be that it did not add the warning about access is logged because it may not have recognized the delimiter characters in the message. If it did not add it when you pasted the config it will not add it once you place it on the network. I suggest that you go back and manually add the message. The command is:

aaa authentication banner

and I believe that it is then looking for a delimiter character (a character which appears at the beginning and at the end of the message and does not appear in the text of the message). When it sees the delimiter it treats it as the beginning of the message and when it sees the next delimiter character it treats it as the end of the message. If you are confused about this, then I suggest that you access the switch, go into privilege mode, enter the command config t to enter configuration mode. In configuration mode you can enter partial commands and then use the ? to get on line help about the command.

I suspect that the problem with ip subnet-zero through not file verify was caused by the issue with the banner message. I believe that if you cut and paste those particular commands again that they should take. And if for some reason they do not take then you should be able to just type them into config mode.

HTH

Rick

I will check out the banner issue in the morning. What about the dhcp info? If it's not showing in the config, how do I enter it? Or will the switch pick it up when I put it on the network?

Thanks again,

DJ

DJ

I thought that I addressed the issue about DHCP in the last paragraph of my previous response. I think it is highly unlikely that if the DHCP info is not there now that the switch will pick it up when you put it on line. I believe that you should cut and paste the missing statements:

ip subnet-zero

ip domain-name it.abbe-lib.org

ip name-server 10.3.50.240

ip name-server 10.3.50.241

ip dhcp-server 10.3.50.240

back into the switch. Or if there is some issue with cut and paste for these commands then you can type them directly into config mode on the switch.

HTH

Rick

Hi Rick,

I've got the banner back and ip subnet stuff.. How do I set it so you don't have to enter a password for enable, so when you sign in, you are already enabled and at privilege level? I know it's not a good thing to do, but that's the way they want it. Also, can I veiw the settings for aaa?

Thanks,

DJ

DJ

I am glad that you got the banner and ip subnet-zero and DHCP stuff back. Not too very bad was it?

There are several ways to get immediately to enable mode. The most simple is to simply asign privilege level 15 to the interfaces. Since that was in place for the vty lines in the config that you posted, am I correct in assuming that your question relates to console access? if so just include this command under line con 0:

privilege level 15

I am not sure that I understand your question about viewing aaa settings. There was not much aaa in the config that you posted (an authentication banner, an authentication fail banner, and authentication to use local passwords or line passwords). You can login to the switch and use the show running-config command to view the config and view the aaa lines. Are you looking for something else?

HTH

Rick

It wasn't to bad. A bit time consuming but I'm learning a lot. Thanks to you.

I'm not sure what I need at this point. I have made a list of differences in the old file and the new one. I'm going to attach it. Take a look and give me your input.

Thanks,

DJ

DJ

here are my comments about the differences.

the clock commands allow you to set some parameters about the clock on the switch. The clock timezone command is especially important if the switch is learning time from an NTP server. Since NTP was not in the config that you posted I assume that it is not important to you. This command sets the identifier for time as UTC and you might want to change it to EST (assuming that you are in the Eastern time zone) change UTC to EST in this command.

Clock timezone UTC -5

The clock summertime command causes the switch to automatically change for Daylight Savings time (and sets the time identifier). It might be good to put this into your switch (and I would suggest changing ITC to EDT)

Clock summer-time ITC recurring

I am not so familiar with the system mtu routing command. I believe that it is something that the code inserts into the config. I would not worry about it.

I would not worry about the certificate information that was in the old switch and not in the new switch. I do not believe that it is anything that you would use.

I would not be concerned about the spanning-tree optimize command not being in the new switch.

I would be concerned about this command not being in the new switch and suggest that you should put it in:

aaa authentication login default local line

I suspect that it was dropped by the same issue that dropped the ip subnet-zero and other lines. This line controls authentication when users login to the switch.

The exec-timeout 0 0 was under line con 0. If it is there the console will not log you out based on inactivity. Without this command the console will logout a session after 10 minutes of inactivity. Since it was in the old config you probably want it in the new config. But it is not significant one way or the other.

I am puzzled that these two lines are not there:

privilege level 15

transport input telnet

and I am wondering: in the original config there was line vty 0 4 with these lines and also there was line vty 5 15 with these lines. Is it possible that in the new config there is only line vty 0 4 and not line vty 5 15?

If they are missing under line vty 0 4 I would probably put them in. The command for privilege level 15 is the command that I mentioned in an earlier post that will put you directly into privilege level.

I notice one other thing that I will comment about. The aaa authentication login command specifies that it will prefer to authenticate with the userID and password configured on the switch and will use line passwords as a backup. I see that the console does have a password configured. I see that the vty lines do not. I would suggest putting a password (perhaps the same password that is on the console) on the vty lines.

HTH

Rick

I'm starting to understand what your talking about... image that!

Does it matter that under the line con 0, line vty 0 4, line vty 5 15 that they now have privilege levels and/or password settings?

it looks like this:

line con 0

exec-timeout 0 0

privilege level 15

line vty 0 4

privilege level 15

password xxx

transport input telnet

line vty 5 15

privilege level 15

password xxx

transport input telnet

And does this really go to a log file some how? and if so, where?

Thanks again,

DJ

DJ

I think that it is neat that you are starting to understand.

Assuming that the intent is for anyone who logs in to the switch (on console or via telnet to the vty) to go immediately to privilege mode (without requiring any further password) then the configuration of console and all vty looks ok.

I am not clear about your question about a log file. Perhaps you can clarify?

If it is about the configuration file there is not any log file that records configuration. But that does remind me of a couple of things to mention. One of which is that there is a running-config and a startup-config. The running-config is (as the name implies) the config that governs the running of the switch. When you have been making config changes the changes are in the running config. The running config is stored in RAM and like most computer memory if the switch power cycles or reboots for some reason the running config is lost. The startup-config is stored in non-volitle memory and is read when the switch boots to create the running config. So it would be a good thing that after you have made changes to use the command copy running-config startup-config (usually abbreviated as copy run start) to copy the config from RAM to NVRAM.

Also after you have made the config changes and things are stable on the new switch it would be a VERY good thing to use TFTP and make a copy (or several) that are stored somewhere other than on the switch.

HTH

Rick

I brought the switch up online and no go. I'm thinking, remember I lost all of my setup info: ip subnet-zero stuff. Maybe I lost the IP address for the switch too. HOw do I check to see what the IP address is and how do I change it? Willl have to reset the swicth to change the IP address?

thanks,

DJ

DJ

Can you be a bit more specific about what was a no go? You did not list the IP address as a difference in the configs so I assumed that it was there. And frankly even if the IP address was not there it should not have impacted the switch ability to forward traffic. The IP address provides the ability to telnet to the switch to manage it remotely. But it does not impact bacis functioning of the switch.

My guess is more likely that there was a problem with the uplink from the switch. Can you tell me whether there was connectivity over the fiber?

HTH

Rick

I switch out the switches and I couldn't ping the switch and the pc's that use the ports for this switch could not reach the network. I changed the config info for the new trunk by changing the interface for the fiber.... Maybe I didn't config that correctly. I'm gonna go through the config file for the router.

for the fiber port, I enter the following configs on the router:

interface GigabitEthernet2/0/4

switchport trunk encapsulation dot1q

switchport mode trunk

on the new switch:

interface GigabitEthernet0/1

description Connection to 50-CoreSwitch-1

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

speed 100

I'll be troubleshooting it first thing in the morning. I'll try to update any thing I think might be of inportance. I don't know if there was connectivity over the fiber. The cable guy tested all of it and said it was ready. I'll verify for myself in the morning.

Thanks,

DJ