In my opinion, the Cisco switches are the best in the market. Versatile, reliable, flexible and powerful, the Cisco switch product line (such as the 2960, 3560, 3650, 3850, 4500, 6500, 9400 series etc) offer unparalleled performance and features. Show
Although a Cisco switch is a much simpler network device compared with other devices (such as routers and firewalls for example), many people have difficulties to configure a Cisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features. In this article I will describe the basic steps needed to configure and setup a Cisco switch from scratch. I don’t like graphical GUI or web management at all, so I will show you command line configuration (CLI) which is much more powerful and actually forces the administrators to learn what they are doing on the device. STEP1: Connect to the device via console Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>” Type “enable” and hit enter. You will get into privileged EXEC mode (“Switch#”) Now, get into Global Configuration Mode: Switch# configure terminal Note: The switch will not ask you for a password when entering into Privileged EXEC mode (i.e after typing “enable”) if it has the default factory configuration. See Step 3 below about setting up a password for the Privileged EXEC mode. STEP2: Set up a hostname for the particular switch to distinguish it in the network Switch(config)# hostname access-switch1 STEP3: Configure an administration password (enable secret password) access-switch1(config)# enable secret somestrongpass The password above will be used to enter into Privileged EXEC mode as described in Step 1 above. MORE READING: What is an SFP Port-Module in Network Switches and Devices STEP4: Configure a password for Telnet and Console access It is a very good security practice to lock-down all access lines of a switch with a password. Although it is much better to configure an external AAA server (for centralized Authentication Authorization and Accounting), in this article we will just configure a password on each access line (VTY lines for Telnet and Console line): access-switch1(config)# line vty 0 15 access-switch1(config)# line console 0 STEP5: Define which IP addresses are allowed to access the switch via Telnet access-switch1(config)# ip access-list standard TELNET-ACCESS !Apply the access list to Telnet VTY Lines STEP6: Assign IP address to the switch for management !Management IP is assigned to Vlan 1 by default STEP7: Assign default gateway to the switch access-switch1(config)# ip default-gateway 10.1.1.254 STEP8: Disable unneeded ports on the switch ! This step is optional but enhances security access-switch1(config)# interface range fa 0/25-48 STEP9: Configure Layer2 VLANs and assign ports to the them By default, all physical ports of the switch belong to the native VLAN1. One of the most important functions of an Ethernet switch is to segment the network into multiple Layer2 VLANs (with each VLAN belonging to a different Layer3 subnet). In order to do the above Layer2 segmentation you need to create additional VLANs from the default VLAN1 and then assign physical ports to these new vlans. Let’s create two new vlans (VLAN2 and VLAN3) and assign two ports to each one. ! First create the Layer2 VLANs on the switch access-switch1(config)# vlan 2 access-switch1(config)# vlan 3 ! Now assign the physical ports to each VLAN. Ports 1-2 are assigned to VLAN2 and ports 3-4 to VLAN3 access-switch1(config)# interface range fa 0/1-2 access-switch1(config)# interface range fa 0/3-4 STEP10: Save the configuration access-switch1(config)# exit The above command to save the configuration can also be accomplished with copy run start The above are some steps that can be followed for basic set-up of a Cisco switch. Of course there are more things you can configure (such as SNMP servers, NTP, AAA, Vlan trunking protocol, 802.1q Trunk ports, Layer 3 inter-vlan routing etc) but those depend on the requirements of each particular network. Some Useful “Show” Commands After configuring the basic steps above, let’s see some useful commands to monitor your configuration or troubleshoot possible problems: access-switch1# show run (Displays the current running configuration) Cisco switches provide outstanding performance, security, scalability, and cost-efficiency for any network type. They are not ordinary plug-and-play devices that do not need configuration or involvement when resolving issues. However, Cisco switches do require an initial setup, ongoing monitoring, and maintenance. How to configure a Cisco switch? In this step-by-step guide, we’ll configure a Cisco Catalyst Switch. Catalyst series is a well-known family of enterprise-grade network equipment, which varies from wireless controllers, switches, and wireless access points. Catalyst switches use the IOS as their operating system. There are two different interfaces to configure a Cisco switch, via the modern Web Console or through the more versatile Cisco IOS Command-Line Interface. In this step-by-step guide on configuring a Cisco switch:
1. Inspecting and connecting to your hardwareBefore configuring your Cisco switch, you’ll need to be able to identify the power cable, switch ports, console ports. In addition, all Cisco switches come with LEDs that let you know the current state of your switch.
How to connect to a Cisco Switch?Connect to the console (management) port using a console cable.
2. Establishing a serial connectionTo establish a serial connection to your computer, you’ll need to use software that controls serial lines. A well-known software that can do this is PuTTy. This software is a free SSH, Telnet, rlogin, and TCP client. Unfortunately, PuTTy is only supported by Windows. So if you are running Linux or macOS, there are some alternatives such as SecureCRT and MobaXTerm.
3. Moving through command modesOnce connected to the switch, you’ll be greeted with the prompt: Switch> The hostname “Switch” is the current name of the switch, and the “>” means you are in “unprivileged” command mode. In this mode, you’ll only be able to display information but not change any configuration. To start configuring your Cisco switch, you’ll need to scale your user privileges. Navigate through Cisco’s command modesThere are two privilege level modes:
To move across these modes, you can use the following commands
4. Initial Configuration CommandsAlthough switching configuration will vary according to the topology, the primary and security design depends on the topology. For example, you can change the hostname, console port, vty ports, etc. a. Configure an appropriate hostnameEnter to the privilege mode (enable) and then configuration mode (config terminal). Then, issue the following command: Switch(config)# hostname <name> You’ll notice that the switch changed its name from “Switch” to whatever name you gave it. b. Protect the privilege EXEC mode with an “encrypted” passwordProtect the privilege EXEC mode and all sub-modes, including global, interface, subinterface, router, and line configuration modes. Enter global configuration mode and issue: enable secret <your password> To test the new configuration, exit privilege EXEC mode and try to reaccess it. First, use the “exit” command and then “enable” (as shown in the picture below). Notice that under unprivileged User EXEC mode, if you attempt to enter privileged User EXEC mode, the console will ask you for a password. If you type the incorrect password, you’ll not be able to move to the Privileged User EXEC mode. You could have also used: enable password <password> But the main difference between “enable secret” vs. “enable password” is encryption. If someone gets their hands on the configuration file (either a printed version or TXT), they could easily find the password in plain text. With “enable secret,” the password is encrypted with MD5. c. Configure a management interface IPLogging to a switch for management can be challenging. First, using the console port requires you to be on-site and next to the switch. Second, you can’t log in remotely to an L2 switch via Telnet or SSH by default. Third, layer two switches won’t take IP configuration on their physical interfaces. So, the only solution is to create a Switched Virtual Interface (SVI) and assign it an IP. Enter global configuration mode and issue the following set of commands: Switch(config)# interface vlan 1 Switch(config-if)# ip address <ip address> <mask> Switch(config-if)# exit d. Configure a default gatewayTo make your switch accessible from a remote network using Telnet or SSH, you’ll need to configure it with a default router. For example, L2 switches would only need a Default Gateway (DG) with L3 capabilities when they need management from external networks. To configure a DG on your Cisco switch:
Switch(config)#ip default-gateway <ip address>
Switch# wr 5. Restrict access to the switchSecurity is one of the essential tasks when configuring your switch. a. Protect console, telnet, and aux portsWhen you accessed the switch via the console for the first time, it didn’t request a password. To protect your switch from unauthorized access, you’ll need to establish authentication for all kinds of input connections. Aside from restricting console ports, you’ll also need to consider Telnet and Aux ports. Issue the following commands:
Switch>show running-config.
Switch>show line.
Switch(config)# line con 0 Switch(config-line)# password $$ECRETCONSOLE Switch(config-line)# login Switch(config-line)# exit
Switch(config)# line vty 0 4 Switch(config-line)# password $$ECRETVTY Switch(config-line)# login Switch(config-line)# exit
b. Restrict access at the IP level with an ACLCreate an Access Control List (ACL) to deny (or permit) access to the switch based on IP addresses. You can permit access to a single IP or deny access to an entire network with an ACL. Once created, you can assign the new ACL to the VTY line and protect Telnet access. Issue the following commands: Switch(config)# ip access-list <number> <permit|deny> <ip address><wildcard>
Switch(config)# ip access-list standard TELNET Switch(config-std-nacl)# permit <IP-1> Switch(config-std-nacl)# permit <IP-2> Switch(config-std-nacl)# exit
Switch(config)# line vty 0 4 Switch(config-line)# access-class <access-list number> in Switch(config-line)# exit The example set of commands on the screenshot will do the following: The Access list number 101 defines “permit” to the IP address 192.168.20.1. Although no “deny” has been described in the ACL 101, all access lists end with an implicit “deny all.” If the traffic going through the ACL 101 does not match the rules (if IP is not 192.168.20.1), all traffic is ultimately dropped. Finally, this ACL is attached to the VTY (Telnet connections) 0 4, so nobody except 192.168.20.1 can connect to the switch via Telnet. c. Disable unnecessary switch ports (or assign them to a Blackhole VLAN)Although this step is not mandatory, it is highly recommended. As a best security practice, disable all unused ports using the “shutdown” command. Let’s suppose our switch has 48 switch ports and that we are not using ports from 18 to 48. Switch(config)# interface range fa 0/18-48 Switch(config-if-range)# shutdown Switch(config-if-range)# exit Switch(config)# An alternative to shutting down ports is creating a “black hole VLAN” and assigning them all unnecessary switch ports. As a general rule of thumb, it is recommended to assign switch ports (used or unused) to any VLAN, except VLAN 1. If any of these ports are still on the default VLAN 1, and the port is enabled, it might expose user broadcast or multicast traffic. Create a black hole VLAN and assign all unused ports to it Switch(config)#vlan 999 Switch(config-vlan)#name BlackHole Switch(config-vlan)#exit Switch(config)#interface range fa 0/18-48 Switch(config-if-range)#switchport access vlan 999 Switch(config-if-range)#switchport mode access Switch(config-if-range)#exit Remember to save your configuration with: Switch# wr Configure your switch ports and VLANsOne of the most critical functions of a Layer 2 Cisco Switch is to segment the network into different L2 VLANs, where each of these VLANs belongs to a separate L3 subnet. Switch ports are by default assigned to VLAN 1, so you’ll need to create additional VLANs and assign the physical switch ports accordingly. As mentioned in the previous section, avoid using the VLAN 1 for user traffic. Let’s create two VLANs and assign the physical switch ports to each of them. Remember that we have already disabled (or sent to blackhole VLAN) some portion of our switch ports. Use the following commands to create VLANs: Switch(config)# vlan 2 Switch(config-vlan)# name Admin Switch(config-vlan)# exit Switch(config)# vlan 3 Switch(config-vlan)# name Users Switch(config-vlan)# exit Assign the physical switch ports to each VLAN Switch(config)# interface range fa 0/1-3 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 2 Switch(config-if-range)# exit Switch(config)# interface range fa 0/4-17 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 3 Switch(config-if-range)# exit Save your configuration with: Switch# wr 7. Useful Additional CommandsAfter following the basic Cisco switch configuration shown in the previous sections, you can use the additional commands to monitor and troubleshoot your configuration. a. Displays the current configuration Switch# show run b. Show the current MAC address table. Switch# show mac address-table c. Shows all interfaces, their configuration, and the status. Switch# show interfaces d. Displays the condition of all interfaces, including parameters like speed, duplex, and more. Switch# show interface status e. Shows all the VLAN numbers, names, and their associated switch ports. Switch# show vlan |