Page Content

Tutorials

Load more

CISCO Switch Configuration: A Safe and Effective Setup Guide

CCNA
Agarapu Geetha
Author: Agarapu Geetha
7 min.read

CISCO switch configuration

A number of basic configuration procedures must be followed while setting up a Cisco network switch in order to guarantee that it functions safely and effectively within a network. Usually, a Command-Line Interface (CLI) is used to carry out these configuration instructions.

A thorough guide on basic Cisco switch configuration may be found here:

Initial Access and Connection

You must first create a connection in order to start configuring a new or spare switch:

Inspect Hardware: First, find out the model number of the switch and look for any damage on the device and its cords. Turn on the switch and check that all of the indicator lights are on.

Console Connection: Use a rollover cable (sometimes called a console cable) to physically connect a computer to the console port of the switch.

Terminal Emulation Software: A terminal emulation tool such as PuTTY, Tera Term, RealTerm, screen, minicom, or tmux can be used to connect to the CLI of the switch.

Serial Settings: Set the terminal software to certain serial settings, which are as follows for a lot of Cisco switches:

Baud Rate: 9600,

Data bits: 8,

Parity: None,

Stop bits: 1,

Flow control: None.

Press Enter to see a response in the terminal window after connecting.

Delete Previous Configuration (for spare switches): Make sure to delete the flash:vlan.dat file if you’re using a spare switch in order to remove any previous setups.

You can also read Define Full Duplex Communication Meaning, example & Benefits

Understanding CLI Modes

Cisco’s CLI has multiple modes of operation, each of which provides access to a different set of commands:

  • User EXEC Mode (Switch>): Provides only a few commands for monitoring.
  • Privileged EXEC Mode (Switch#):Permits the use of every other router/switch command.
    • Type enable in User EXEC mode to gain access.
  • Global Configuration Mode (Switch(config)#): The system as a whole is impacted by commands here.
    • In Privileged EXEC mode, type configure terminal (or config t) to gain access.
  • Sub-configuration Modes: For certain parameters, accessed from global configuration mode. Some examples are as follows:
    • Interface Configuration Mode (Switch(config-if)#): Accessed using the interface type number (e.g., VLAN1).
    • Line Configuration Mode (Switch(config-line)#): Either line vty 0 15 or line console 0 to access it.
    • VLAN Configuration Mode (hostname(config-vlan)#).
  • Navigation: To return to Privileged EXEC mode from any submode, use exit to switch to a higher mode, or end (or Ctrl+Z).

Essential Configuration Steps

Hostname and Domain Name:

  • To make the switch on the network easy to find, give it a distinctive and polished hostname. Use hostname name, which is a global configuration command (e.g., hostname Switch01).
  • Set a domain name using ip domain-name fqdn (e.g., ip domain-name routerfreak.com).

Management IP Address and Default Gateway:

  • Set up a Switched Virtual Interface (SVI) with an IP address, usually VLAN 1 by default, to enable remote access over SSH or Telnet.
  • Enter interface vlan 1 in global configuration mode.
  • Give each user a subnet mask and IP address: IP address: 255.255.255.0 192.168.101.1.
  • Without shutting down, activate the VLAN interface.
  • To allow the switch to connect to devices outside of its local VLAN, set a default gateway: 192.168.1.1 is the IP default gateway.

Security (Passwords and Banners):

  • Enable Secret Password: Use a strong password to secure access to Privileged EXEC mode by enabling secret pass-value (for example, enable secret Top$ecretPrivEXECpassWORD). In the setup, this password is encrypted.
  • Console Port Security: Safe direct access through the console port.
    • From global config, enter line console 0.
    • Set password: Password faith.
    • Require login: Login.
  • Virtual Terminal Line (VTY) Security: For SSH or Telnet remote access.
    • From global config, enter line vty 0 4 (or 0 15 for all default VTY lines).
    • Set password: Password hope.
    • Require login: Login.
    • Specify allowed protocols: Transport input ssh or transport input all.
  • Password Encryption: All passwords should be encrypted using service password-encryption in Privileged EXEC mode to avoid being stored in plaintext.
  • Local Usernames: Apply login local on console/vty lines and set up local per-user credentials using the username name secret password (global command) in place of shared passwords.
  • Message of the Day (MOTD) Banner: Set up a banner that, when unauthorised users log in, shows a warning message.

Secure Shell (SSH) Configuration

All data is encrypted via SSH for safe remote access.

  • Ensure hostname and domain name are set (as above).
  • Generate RSA cryptographic keys: Crypto key generate rsa. You may be prompted for the modulus size (e.g., 1024 or 2048 bits).
  • Optionally, set the SSH version: ip ssh version 2.
  • Ensure VTY lines are configured for transport input ssh or transport input all.
  • Configure VTY lines to use local authentication: login local.
  • Verify SSH is enabled by typing sh ip ssh in Privileged EXEC mode.

You can also read Advantages Of VLSM Variable Length Subnet Masking, Purpose

Virtual Trunking Protocol (VTP) Revision Number

  • Click “show vtp status” to see the VTP revision numbers for new switches.
  • Change the config mode to transparent: vtp mode transparent to quickly reset the domain back to zero before connecting the switch to the network.
  • Configure the VTP domain name, such as vtp domain name.

VLAN Configuration

VLANs divide the network into sections for security and organisation.

  • Give each VLAN a unique name and ID. Go to global configuration, type vlan 2, and then select cafe. Continue with all required VLANs.

Port Configuration

  • Access Ports: Assign specified switch ports to end-user devices in a given VLAN.
    • To access interface or interface range mode, select interface FastEthernet 0/5 or interface range fastEthernet 0/5-7, for example.
    • Set port mode: Access in switchport mode.
    • Assign to VLAN: VLAN 2 access via switchport.
  • Trunk Ports: Set up ports to transport traffic to a router or between switches from various VLANs.
    • Go into interface mode (such as interface FastEthernet 0/2).
    • Encapsulate switchport trunks dot1q if ISL is supported. If not, just enter switchport mode trunk (for 802.1Q).
  • Port Security: Helps stop data from being sent by unrecognised MAC addresses.
    • Make the port switchport mode accessible by configuring it as an access port.
    • Enable port security: Port-security on the switchport (defaults to one MAC address, shutdown violation mode).
    • Customize: Maximum number of switchport ports, ~protect | restrict | shutdown} violations, and switchport mac-address sticky are all examples of switchport port-security.
  • Interface Settings:
    • Description: Put a descriptive label on it, such as “Description Printer on Third Floor” or “Description *** UPLINK ***.”
    • Speed and Duplex: Although autonegotiated by default, you can explicitly set up duplex {auto | full | half} and speed {10 | 100 | 1000 | auto}.
    • Enable/Disable: Since switch ports are typically active by default, use no shutdown to enable a port and shutdown to disable it.
    • Auto-MDIX: Cisco Catalyst switches automatically detect and adjust for cable types using auto-MDIX (mdix auto).

You can also read What is SLAAC IPv6(Stateless IPv6 Address Autoconfiguration)

Spanning Tree Protocol (STP)/RSTP

To avoid loops in redundant topologies, Cisco switches are configured to execute STP and Rapid Spanning Tree Protocol (RSTP) as default. By default, RSTP functions without any extra setup.

  • With the spanning-tree mode {pvst | rapid-pvst | mst} global command, you can set up the spanning tree mode.
  • The root switch election can be influenced by using spanning-tree [vlan vlan-number] root primary for a backup root or spanning-tree [vlan vlan-number] root secondary for a primary root.
  • Optional STP capabilities for end device-connected access ports include PortFast and BPDU Guard. Unauthorised switches cannot alter the STP topology because PortFast permits ports to go straight to the forwarding state and BPDU Guard blocks a port in the case that it receives Bridge Protocol Data Units (BPDUs).

Saving Configuration

Configuration mode commands are instantly applied to the running-config (the RAM configuration that is currently active). The running configuration needs to be saved to the startup-config file in NVRAM in order for these modifications to be retained across reboots.

  • copy running-config startup-config (privileged EXEC command).
    • Switch# copy run start

Removing Configuration

Use the no variant of the command to remove a particular configuration command or return an interface setting to its default state (for example, no speed 100 returns speed to auto). The default interface interface-id global configuration command can be used to restore all interface subcommands on a certain interface to their initial configurations.

Verification

  • Use commands such as show version, show running-config, show ip interface short, show vlan brief, show VTP status, and ping to check connectivity and configurations.
  • Verify that SSH is enabled by using sh ip ssh.

These procedures can help even novice IT workers properly integrate and setup a Cisco switch in their workplace.

You can also read IPv6 Migration Explained: Transition From IPv4 To IPv6

Previous article
What Are The Except Operator in PostgreSQL With Example
Next article
What Is ANY Operator In PostgreSQL With Code Example
Agarapu Geetha
Agarapu Geetha
My name is Agarapu Geetha, a B.Com graduate with a strong passion for technology and innovation. I work as a content writer at Govindhtech, where I dedicate myself to exploring and publishing the latest updates in the world of tech.

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index