Cisco Routers

Cisco routers provide access to applications and services, and integrate technologies

IP Phone - Cisco

IP phone takes full advantage of converged voice and data networks, while retaining the convenience and user-friendliness you expect from a business phone...

WAN - Cisco Systems

Transform your WAN to deliver high-performance, highly secure, and reliable services to unite campus, data center, and branch networks.

EtherChannel - Cisco Systems

EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet. EtherChannel combines multiple Fast ...

Looking Toward the Future - Cisco Systems

Looking Toward the Future by Vint Cerf. The Internet Corporation for Assigned Names and Numbers (ICANN) was formed 9 years ago....

Pages

Wednesday, November 30, 2011

Cisco Monitor Common Mistakes

I am going to touch on common mistakes in cisco network monitoring today. You know for sure that you need a network-monitoring tool for managing your network. There are wide varieties of tools available that range from simple to complex and free to enterprise ones.
If you get one monitoring tool and install it, can you say that everything is under control? Are you going to be aware of what happened in your network? I will try to warn you about common mistakes in Cisco network monitoring. Actually, these mistakes are common for any kind of network however my experience on Cisco environment.

1. Monitoring without documentation
If you are monitoring your network and don’t have the complete network documentation, then it will not be clear whether monitoring is beneficial or not. How can you be sure about reliability of your monitoring system without knowing exact number of devices, their models and their interconnections?

Network Monitoring Tools

What are your daily duties as the network administrator? You have to keep your network up and running. You have to answer calls which may relate to situations like “X location is down” or “Y location is slow”. You should monitor your network as described below to fulfill the tasks.


  • You should monitor your network and take actions with respect to situations like device and line failures.
  • You should analyze line utilizations, errors on the line and be sure about network performance.
  • You should be aware of who talks with whom? How much bandwidth is needed for every single application?
  • And sometimes, you need to see exact data flow over the network.
If you have all these information ready, then people will think twice before they point finger at you. How can you achieve this?

We need a layered approach to understand network monitoring. I am not talking about network layers, but network monitoring layers. We have to involve deeply to monitoring layers before decide about network monitoring software needs. A simple summary could be like below.

  • Preconditions of network monitoring.
  • Up/Down monitoring
  • Performance Monitoring / SNMP monitoring
  • Who talks with whom? / Netflow monitoring
  • Data capture / Data sniffing


Preconditions of Network Monitoring
Network documentation is essential to monitor a network. Trying to set up network monitoring tools before going through the documentation is complete waste of time. You will see everything green on the screen, but this maybe due to one of the redundant lines that are down. You will sit staring without knowing what is happening. Always remember, documentation comes first and everything follows.
Suggested monitoring tools: Powerpoint/Visio, NetViz



Up/Down monitoring
You have a map in which you can see some red and green lights glowing. Green means up and red means down. It is simple yet powerful. You will immediately come to know that there is some problem if the red light glows.
This is based on ping. Almost every IP devices support echo/echo reply. So, you can monitor all IP devices in your network by using ping. You go one step further by monitoring one application at a time present on a device instead of whole device. All network applications utilize TCP/UDP ports. You can monitor the applications by trying to access with telnet to its TCP/UDP ports. The port being open suggests that the application is running

Suggested monitoring tools: WhatsupGold, nmap


Performance monitoring / SNMP monitoring
The lines are up, the devices are up, but life is not perfect. People complain about performance of data lines. Are they saturated? Do we have package losses on the lines? Are routers running out of memory? We need SNMP to monitor heart beat of the network.

Suggested monitoring tools: MRTG, Solarwinds Orion, PRTG


Who talks with whom? / Netflow monitoring
You realized that the line is full. Someone / some applications make increase traffic load enormously. Who are they? Is it necessary traffic? In Cisco devices, by using “ip accounting” command we can get an idea of current traffic sources and destinations. Nevertheless, to analyze and to optimize the traffic we need flow monitoring. We need to know source and destination IP addresses and TCP/UDP ports and number of packages/bytes.
Everyone blames the network speed until you publish the network usage report that clearly shows only 15% of the traffic is ERP traffic and rest comes Internet access.
You should know that flow monitoring tools requires more server resources, since they collect enormous amount of data.

Suggested monitoring tools: Fluke Netflow monitor, Paasler


Data capture / RMON – Sniffer tools
Sometimes you need to observe the exact data flow on the line and not just information about it. Just have a look at this sample scenario. After you find out that the web service causes inappropriately high network traffic, the owner of the application just can say “No, we are not pushing this much of data to network. We just respond Yes or No in this web service and it is just 100 bytes”. Therefore, you should sniff the data flow on the line. Maybe, you will find that web service responds yes or no (100 bytes) and with the definition of web service (6 kilobytes).

Suggested monitoring tools: Wireshark

Advanced SSH settings Cisco IOS

I mentioned about basic SSH setting in SSH@Cisco article. But I saw that there are other questions about SSH settings, so, I decided to dive a bit deeper. The settings mentioned below are tested with IOS 12.4, but I am not sure about exact version that supports below features.

Q1. What happens if I changed hostname or ip domain name after SSH settings has been done?
A1. Nothing. You need them to create rsa keys but, but afterwards, if you change them, only the key name changes and key data remain same.

ciscolab#sh crypto key mypubkey rsa

SSH @ Cisco

       Recently, I had to swap the Internet router of my company. BGP and cef ate up the whole memory and it was not possible to upgrade the memory of Cisco 3725 router beyond 256MB. It was time to change it.

       I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found “Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that
  • SSH only supports authentication with username/password, but it does not support just access password like telnet
  • So, I had to create a user and set a password with username command
  • I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
  • Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
  • SSH is enabled by default and I do not need to enable it myself.

Thursday, November 24, 2011

Top five learning tools


  1. Guide to network adminGood network administration is the backbone of today's technology-dependent enterprises. Network administrators are charged with keeping expansive networks and numerous applications running smoothly, and the job can seem overwhelming at times. We're coming to the rescue with this guide that brings you back to basics. We polled our readers about their most common tasks to find out what the heart and soul of network administration consists of

Hardware/Software Life Cycle

Hardware Life Cycle
On lists of hardware recommendations, you will see a status value which may be one of these four options:
Early Adoption – equipment is new and is undergoing validation testing in company's network. Sites installing hardware of this type do so at their own risk but we do encourage a certain amount of creativity and look forward to receiving feedback on the community's experiences.
We recommend early adoption hardware is installed in a low risk part of the network.

Current Recommended – equipment is recommended wherever possible for new installations.
Current Alternati ve – equipment is still current and supported, but the latest Company networking engineering standard

IOS Commands

Privileged Mode
   enable - get to privileged mode
   disable - get to user mode
Configuring the Router
   sh running-config - details the running configuration file (RAM)
   sh startup-config - displays the configuration stored in NVRAM
   setup - Will start the the automatic setup; the same as when you first boot the router
   config t - use to execute configuration commands from the terminal
   config mem - executes configuration commands stored in NVRAM; copies startup-config to running-config
   config net - used to retrieve configuration info from a TFTP server
   copy running-config startup-config - copies saved config in running config (RAM) to NVRAM or "write memory" for IOS under ver.11

Wednesday, November 23, 2011

Troubleshooting Strategy

How do you know when you are having a network problem? The answer to this question depends on your site's network configuration and on your network's normal behavior. See "Knowing Your Network" for more information.

If you notice changes on your network, ask the following questions:
Has this event ever occurred before?
  • Is the change expected or unusual?
  • Does the change involve a device or network path for which you already have a backup solution in place?
  • Does the change interfere with vital network operations?
  • Does the change affect one or many devices or network paths?
After you have an idea of how the change is affecting your network, you can categorize it as critical or noncritical. Both of these categories need
By using a strategy for network troubleshooting, you can approach a problem methodically and resolve it with minimal disruption to network users. It is also important to have an accurate and detailed map of your current network environment.

Knowledge of Networking Practices

1 Implementing the Installation of the Network 
     1.1 Demonstrate awareness that administrative and test accounts, passwords, IP addresses, IP configurations, relevant SOPs, etc., must be obtained prior to network implementation.

    1.2 Explain the impact of environmental factors on computer networks. Given a network installation scenario, identify unexpected or atypical conditions that could either cause problems for the network or signify that a problem condition already exists, including
     ·         room conditions (e.g., humidity, heat, etc.)
     ·      it's important to setup the room with normal humidity to prevent electrostatic discharge (ESD), air conditioning to prevent CPU overheating and system shutdown

Tuesday, November 22, 2011

Troubleshooting the Network

How To Troubleshooting The Network

Recognize the following steps as a systematic approach to identifying the extent of a network problem and, given a problem scenario, select the appropriate next step based on this approach:
   1. determine whether the problem exists across the network,
   2. determine whether the problem is workstation, workgroup, LAN or WAN,
   3. determine whether the problem is consistent and replicable, and
   4. use standard troubleshooting methods.


Identify the following steps as a systematic approach for troubleshooting network problems and, given a problem scenario, select the appropriate next step based on this approach:
   1. identify the exact issue,
   2. recreate the problem,
   3. isolate the cause,
   4. formulate a correction,
   5. implememt the correction,
   6. test,
   7. document the problem and the solution, and
   8. give feedback.

Baseline & network health facts

- Ethernet segments should not exceed 40% Network Utilization
- Token Ring should not exceed 70% Network Utilization
- WAN Links should not exceed 70% Network Utilization
- Response time should be less than 100ms
- Broadcasts/Multicasts should be no more than 20% of all network traffic
- On Ethernet there should be no more than 1 CRC error per 1million bytes of data
- Cisco Router CPU Utilization should not exceed 75%

Saturday, November 19, 2011

Data Center Access/ Visitor

Procedure Background
       In order to reduce physical exposures to data center equipment, production operations and backed up application data files, access controls are required. This is a preventive measure to safeguard the continuous operation of Company Hubs. Data center access audits are performed quarterly and door checks are performed weekly.


· The Data Center Facilities Team Lead is responsible to ensure that all IT personnel adhere to the policy of applying for data center access.
· See contact list for appropriate contacts.
· Any member of the workforce may STOP any WORK in progress due to unsafe work methods, conditions causing the area to be unsafe, emergency, or for any other Data Center operational necessity. 

802.1x Authentication

Figure 1: IOS Version Required
Figure 2: Cisco 3560, 3750, 4500, 6500 802.1x Configuration
Figure 3: Cisco 3560, 2750, 4500, 6500 802.1x Configuration Removal

  
1.  Introduction

          The objective of this content is to provide an overview of the 802.1x capability of the Cisco IOS Switches.  This allows stakeholders to determine whether port-based authentication using 802.1x is a viable option for their specific scenario as well as how the technology works to keep resources secure.
          This content is designed to provide network engineers with the skills and knowledge to effectively deploy and troubleshoot network based authentication using 802.1x.  Configuration examples are provided to assist the engineer in adding 802.1x port security to the Cisco devices.  Known issues and questions are addressed to help educate users and engineers that

802.1x Features
          The 802.1x feature will secure physical network ports or wireless connections by requiring valid authentication.  802.1x is a way to make sure a user is who they say they are by checking their credentials against an authentication server. 
This server can be designed specifically for authenticating users on the network, or can have multi-purposes such as Active Directory authentication or Radius Servers being used for authentication other than networking.

          802.1x uses a supplicant (user), authenticator (switch or access point), and an authentication server (Radius Server).  The supplicant notifies the authenticator that it would like to be authenticated.  Once the authenticator receives this request, it will forward this information to the authentication server for validation.  This information can be in many forms including username/password, machine based certificate, or smart badge based certificate.  These credentials will be checked against the server in order to allow the supplicant access to the authenticator.  Once access is granted to the supplicant, the user is able to make use of the network resources.  If a supplicant is not authorized, the network administrator can determine the access level that is granted.  An unauthorized supplicant can be denied any service on the network, placed into a quarantine network, or into an “Internet-only” vlan.  Administrators have complete control placement of an unauthorized supplicant.

2. Direction
          Company has many sites in which 3rd Party collaboration takes place.  802.1x is one method of securing a network that could possibly be accessed by unauthorized users.  By requiring authentication credentials, a network connection can be locked down protecting corporate resources that would otherwise be available on an unsecured connection. 
Smart Badge capability was initially chosen as the authentication that would be used as it has been deployed globally. All machines have the same image using the Global Information Link 3 () configuration.  Using Smart Badge based certificates has proven to be an obstacle due to the need of a user to input a PIN.  An alternative to using a Smart Badge based certificate is to use a machine based certificate placed on each laptop or workstation.  This machine certificate allows a device to be placed on the Company network without user intervention.  Devices  not containing the machine certificate are not allowed Company network access.  Access to the device and Companys’ network will continue to require Smartbadge authentication – restricting unauthorized users from taking an unattended Company authenticated device and placing them on the network.
          The EAP type was chosen as EAP-TLS that uses certificates on the Smart Badge.  The EAP-TLS protocol is used by the Steel-Belted Radius, which is currently the Company Wireless LAN authentication server.

Requirements
          Connecting Device: Any device connecting to the switch port should be able to perform EAP authentication. This functionality is provided by an EAP supplicant. The  computers have a native Microsoft EAP supplicant that needs to be enabled. A GOP package has been created to enable the EAP supplicant on the  computers.
          The authentication of the EAP enabled  computers has been tested and is working fine.
          Non-EAP devices such as printers and other peripherals will authenticate using their MAC address. The Network Assets team is presently working on the backend MAC based authentication infrastructure for non-EAP enabled devices.
          The Cisco IP Phones have an EAP supplicant, version 8.5.2 of the IP phone load. Network Assets team is presently working on testing the new IP phone image. The Network Assets team is planning to conduct testing on the 6500, 4500, 3K & 2K switches.
          Switches that have been tested working with 802.1x include Cisco 3750, 3560, 4500, and 6500 series Catalyst Switches.
          802.1x has been tested using specific versions of IOS.  A list of required versions to be used can be seen below in table 1.  In most cases, any version higher than what is listed will suffice as a requirement.
Switch
IOS Version
3560

3750
12.2(53)SE
4500
12.2(53)SG1
6500
12.2(33)SXI
3. Configuration
Cisco 3560, 3750, 4500, 6500 Configuration and Troubleshooting

Adding Configuration 802.1x has three parts to the configuration. 
     1. 802.1x Global Configuration
     2. Radius Server Authentication
     3. nterface Configuration


Configuration is detailed in figure 1.
                       (***802.1x Global Configuration***)
                        802.1x-Switch(config)# aaa authentication dot1x default group radius
                        802.1x-Switch(config)# dot1x system-auth-control

                        (***Radius Server Authentication Global Configuration***)
                        802.1x-Switch(config)# radius-server host 146.23.102.28 auth-port 1645
                        acct-port 1646
                        802.1x-Switch(config)# radius-server key 7 011B09110A5D561C2D1F

                        (***Interface Configuration***)
                        802.1x-Switch(config)# interface GigabitEthernet0/1
                        802.1x-Switch(config-if)# dot1x pae authenticator
                        802.1x-Switch(config-if)# dot1x port-control auto
                        802.1x-Switch(config-if)# dot1x violation-mode protect


Figure 2: Cisco 3560, 3750, 4500, 6500 802.1x Configuration

Removing Configuration
  If 802.1x requires removal from an interface, only the interface needs to be changed (See figure 2).  The global configuration for 802.1x and Radius Server authentication can remain on the switch.
                        (***Removing 802.1x Interface Configuration***)
                        802.1x-Switch(config)# interface GigabitEthernet5/27
                        802.1x-Switch(config-if)# no authentication port-control auto
                        802.1x-Switch(config-if)# no authentication violation restrict
                        802.1x-Switch(config-if)# no dot1x pae authenticator

Figure 3: Cisco 3560, 3750, 4500, 6500 802.1x Configuration Removal

References:  Introduction to IEEE 802.1x and Cisco Identity-Based Networking Services

Cisco 3G Aircard Configuration


1. Introduction
      Wireless services offer a compelling alternative to traditional terrestrial services, and with the increasing expansion of the Service Provider offerings in the 3G space, this offers the network designer a new exciting paradigm in Wide Area Network design:
              • a cheap alternative to leased line or satellite services
              • a high-speed wireless option for backup connectivity
              • an alternative to physical wireline infrastructure
              • business continuity and disaster recovery alternatives
       3G is the third generation of mobile technology standards which allow Service Providers the ability to deliver High Speed Packet Access (HSPA) data capabilities.  3G services are commonly associated to cellular phone technology and individual user-based aircard services; however, Cisco offers an integrated 3G interface card which will allow a router to take advantage of 3G services such as those typically only available to a mobile, individual user.
      It should be noted that 3G service is a subscription-based service, and use of that service requires an account with the vendor/provider offering that service.
      The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119


2. Aircard Installation & Activation
      Cisco 3G aircards are part of the HWIC, or High-Speed WAN Interface Card family, and have a part number beginning with HWIC-3G-CDMA.  This is going to be followed by another letter, which will represent the vendor associated with the aircard you have chosen.  For the remainder of this document, we will be referencing the “-V” option, which is associated to the Verizon Wireless service.  It is also worth noting that the RECOMMENDED service for the company in North America is the Verizon Wireless aircard service.
The following parts are used to assist in this configuration guide:
          • Cisco 2811 Integrated Services Router
               o   12.4(15)T7 Software Code (c2800nm-advipservicesk9-mz.124-15.T7.bin) – it should be noted that the 3G cards only work with a select version of IOS software.
               o    256MB DRAM
               o    64MB Compact Flash
          • HWIC-3G-CDMA-V aircard
               o    3G-ANTM1919D antenna (x2) – two antennae are required to achieve maximum throughput

   2.1 Installation
           Since the 3G aircards are part of the HWIC family, they need to be installed in an HWIC slot.  (The appendix of this document includes a table of ISR routers and the number of HWIC slots in each.)  Before installation, record the ESN number off of the aircard; this will be used to request activation of the aircard.
           If you forget to record the ESN, don’t worry about removing the card to record it, as you can also retrieve the information from within the command line interface (CLI).
                    Router2811#sho cellular 0/0/0 hardware
                    !
                    Modem Firmware Version = p2005700
                    Modem Firmware built = 12-14-06
                    Hardware Version = 2.0
                    Electronic Serial Number (ESN) = 0x603C97F6
                    Preferred Roaming List (PRL) Version = 50783
                    Current Modem Temperature = 26 degrees Celsius

   2.1. Activation
           The next step will be to activate the aircard.  In order to activate the aircard, you need to be connected on the Verizon Wireless REV-A (1xRTT/EVDO) network.  You can verify this with the following command/output:

3.Configuring the Aircard.
      For the purposes of this document, a simple configuration is used to establish basic connectivity.  The appendix includes a slightly more detailed configuration option, including local DHCP services for end-user connectivity needs.
The following commands are the minimum required configuration to establish connectivity to the Verizon Wireless 3G / REV-A network. 
         1.chat-script <script name> ”” “ATDT#777” TIMEOUT <timeout value> CONNECT
              The chat script defines the ATDT commands for when the dialer is initiated.  For this document, we use the chat script name of ‘VZW’

         2.interface cellular <slot/wic/port>
              For the sake of this document, we are using slot 0, wic 0, and port 0 – or 0/0/0.

         3.ip address negotiated
              The Cellular interface MUST be configured to retrieve an IP address from the provider via PPP/IPCP negotiation.
         4.dialer in-band
               This enabled dial-on-demand routing, or DDR, and the use of a chat script.

         5.dialer idle-timeout <seconds>
              The ‘dialer idle-timeout’ is the amount of inactive time before the interface is disconnected.  A RECOMMENDED value is 300, or 5 minutes.  If you are on a pay-per-use plan, it would be good to set this value to something more like 30 seconds to reduce the length of time connected without any ‘interesting’ traffic.

         6.dialer string <string>
              The ‘dialer string’ is the number to call – here you will specify the name of the chat script.

         7.dialer group <number>
              Associates the Cellular interface with a dialer access group.

         8.ppp chap hostname <hostname>
              This will specify the wireless hostname to use when authenticating to the 3G network. This username is your aircard 10-digit phone number, appended with
‘@vzw3g.com’.  Or, to find your phone number with the proper sufix already appended, execute the command ‘show cellular x/x/x profile’.  The command output is shortened for brevity.
                     Router2811#sho cellular 0/0/0 network
                     !
                     Current Service = 1xEV-DO (Rev A) and 1xRTT


      Additionally, you need to have a radio signal of better than -90dBm, and better than -80dBm for maximum throughput.  You can verify the received signal strength indication (RSSI) with the following command/output:
                     Router2811#sho cellular 0/0/0 radio
                     !
                     1xRTT related info
                     ------------------

                     Current RSSI = -44 dBm, ECIO = -4 dBm     
                     Note that a value of zero (0) indicates no signal.


       Some aircards may have been shipped with REV-A capabilities disabled.  To ensure that your aircard is REV-A capable, please execute the following commands to ensure that your aircard is REV-A enabled:
                     Router2811#config terminal
                     Enter configuration commands, one per line.  End with CNTL/Z.
                     Router2811(config)#service internal
                     Router2811(config)#exit
                     Router2811#test cellular 0/0/0 cdma rev-a enable
                     EVDO Rev A enabled successfully
                     Router2811#



Your aircard is now activated and ready for configuration.

Tuesday, November 15, 2011

Next Generation WAN FAQs

 

What is MPLS?
MPLS (Multi-Protocol Label Switching) is a packet-forwarding technology which uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis is done just once (when the packet enters the MPLS domain). Label inspection drives subsequent packet forwarding. MPLS provides the following beneficial applications: Virtual Private Networking (VPN), Traffic Engineering (TE), Quality of Service (QoS) and ATM over MPLS (AToM). Additionally, it decreases the forwarding overhead on the core routers. MPLS technologies are applicable to

IP Telephony FAQs


What does IP telephony mean?
    IP (Internet Protocol) telephony, or called IPT, is a method for taking analog audio signals, like the kind you hear when you talk on the phone, and turning them into digital data that can be transmitted over the Internet.  In the company, the digitized telephone traffic between Company locations will be carried over our WAN and LANs instead of the Public Telephone Network or the Internet.

Network Questionnaire

Example network questionnaire for Network Administrators:

General

1. Please provide an organization chart(s) for all personnel who will be involved with this audit.
2. Please provide a list of contacts.  This list should include the person's name, telephone number, e-mail address, room number, and job description (Ex. UNIX System administrator).
3. Please provide network drawings identifying all firewalls,

Monday, November 14, 2011

Cisco Network Design


      Cisco uses its own brand of networking symbols. Since Cisco has a large Internet presence and designs a broad variety of network devices, its list of symbols is exhaustive. For CISCO specific network drawing diagrams, download the add-ons to enjoy the full functionality of all the Cisco Visio  here>>>
http://www.cisco.com/web/about/ac50/ac47/2.html


Detailed Cisco Network Diagram

      Identifiable network icons are used to depict common network appliances. For example: Router, and the style of lines between them indicate the type of connection. Clouds are used to represent networks external to the one pictured for the purposes of depicting connections between internal and external devices, without indicating the specifics of the outside network. The server is further connected to a printer and a gateway router, which is connected via a WAN link to the Internet.
Visio Network Stencils

Packet® Icon Library

Packet Icons Product 1

Packet Icons Product 2

Packet Icons Product 3

Packet Icons Product 4

Packet Icons Product 5

Packet Icons Product 6
or http://www.cisco.com/en/US/products/hw/prod_cat_visios.html

Problem & Communication Process

Problem Management and Communication Process

       Outage Communication Timeline for example Sev 1
Communications activities begin after notification from Help Desk, from users or from Key Production Environment Manager. After initial consultation with responding infrastructure manager or appropriate support team assigned to

Manual Back up and Restore CFG

Manual Back up and Restore Configuration Files for Switch

       The purpose of this content provides the IT services staff with some basic steps to migrate the configuration from an existing switch to a new switch and this content is to ensure that all backup the configuration is correct and also ensure the backup and restore process are agreeable with the business unit requirement. Use a Terminal Emulation Program to Backup and Restore a Configuration

       A terminal emulation program can be used to back up and restore a configuration. This is a description of the procedure using Microsoft HyperTerminal Terminal Emulation software:

  1. If the configuration needs to be copied from another switch, connect to that switch through the console or Telnet.
  2. At the Switch> prompt, issue the enable command, and provide the required password when prompted.
     
         The prompt changes to Switch#, which indicates that the switch is now in privileged mode.
  3. Issue the terminal length 0 commands in order to force the switch to return the entire response at once, rather than one screen at a time.      This allows you to capture the configuration without extraneous --more-- prompts generated when the switch responds one screen at a time.
  4. On the HyperTerminal menu, choose Transfer > Capture Text.          The Capture Text window appears.
  5. Name this file "config111111.txt." [name template “configmmddyy.txt”]
  6. Click Start in order to dismiss the Capture Text window and begin the capture.
  7. Issue the show running-config command, and allow time for the switch to complete its response. You will see: Building configuration...          followed by the configuration.
  8. On the HyperTerminal menu, choose Transfer > Capture Text > Stop in order to end the screen capture.  
  9. Open the config111111.txt file you created in any text editor, such as Notepad or Wordpad.
  10. Connect to the switch that needs the configuration.
  11. Open the config111111.txt file.
  12. Highlight the entire contents of the config.txt file. You can do this by dragging the cursor from before the first character to after the last character in the file while holding down the left mouse button. Alternatively, if you use Notepad, you can choose Edit > Select All from the menu.
  13. Copy the selected text to the Windows clipboard. You can either choose Edit > Copy from the text editor menu, or hold down the CTRL key and simultaneously press the C key in order to perform the copy.
  14. Switch to the HyperTerminal window, and issue the configure terminal command at the Switch# prompt. Then press Enter.
  15. Paste the configuration file into the switch by selecting Edit > Paste to Host on the HyperTerminal menu.
  16. After the configuration has finished pasting and the switch brings you back to the configuration prompt, issue the copy running-config startup-config command in order to write the configuration into memory.
  17. Issue the exit command in order to return to the Switch# prompt
  18. Logon as local administrator and verify that the Switch is functioning as expected Use the show running-config command to confirm that the configuration file has been copied to the destination switch

Role and responsible
1.   IT Service are responsible to maintain the procedure and assure that the document is align with the procedure
2.   IT Service Asst. Application owner is an assigned information owner who agrees with the backup strategy.
3.   The procedure and document are subjected to review and approved by information owner by specify period.
4.   IT Service run test the switch backup and restore process that must be tested at least once a year to ensure that the backup strategy is effective. Use the test to restore the configuration at least once a year and have the application owner sign document.