In this post, I would like to share with you the initial steps that need to be taken in order to have a basic Cisco switch configuration.
Table of Contents
1. Configure a password to protect the access to User mode
When you connect to a Cisco Catalyst switch via the Console cable for the first time, you are placed in the User EXEC mode. In this mode you can run different show commands, but you cannot modify the configuration of the switch.
If you do not know how to connect to a Cisco switch with a console cable, take a look at this post: How to connect to a Cisco router via the console cable.
When you connect to a new switch that does not have any configuration, you will be prompted to enter the initial configuration dialog. You need to answer with no. I will show you how to configure the switch, step by step.
As you can see, I was not prompted to enter any password. For security reasons and for best practices, it is recommended to protect the access to the user EXEC mode with a password.
Enter the following commands on your device:
Switch>en Switch#conf term Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#line console 0 Switch(config-line)#login % Login disabled on line 0, until 'password' is set Switch(config-line)#password Cisco123 Switch(config-line)#
Now, exit from the Global config mode and test if you are prompted for a password.
Switch(config-line)#exit Switch(config)#exit Switch# *Mar 1 00:16:07.776: %SYS-5-CONFIG_I: Configured from console by console Switch#exit
2. Configure a password to protect the access to Privileged mode
The next step is to configure a password that will protect the access to the Privileged mode. In Privileged mode you can run different show commands. In addition to this, you can run some commands which may affect the availability of your device. For example, you can reboot the switch. Also, from this mode, you can go to Global configuration mode by entering the enable command and you can change the switch configuration. This is why it is imperative to protect the access to this mode.
Switch>enable Switch#conf term Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#enable passw Switch(config)#enable password Cisco123 Switch(config)#
Unfortunately, the password is stored in clear text in the running-config.
In order to address this, you can use the service password-encryption command to hide the password or you can use the enable secret command which, by default, stores the secret encrypted in the running-config.
Switch(config)#service password-encryption Switch(config)# Switch(config)# Switch(config)#enable secret Cisco
You can check if the passwords are now hidden. If you configure both commands, enable password and enable secret, the enable secret command takes precedence.
Now you can test if the access to the privileged mode is protected.
Switch#disable Switch>enable Password: Switch#
3. Set the switch hostname
In order to identify your device, you need to give it a name. Use the hostname command for this purpose.
Switch#conf term Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname SW1 SW1(config)#
As you can see from the screenshot below, the switch name is immediately changed.
4. Configure the clock
All devices fail from time to time. This is why it is so important to configure the time on your switch. This way you will know when it happened.
You can configure the time manually or you can use NTP. I will show you how to configure NTP in a different post.
To configure the time manually, run this command:
SW1#clock set 19:10:00 21 March 2023 SW1# *Mar 21 19:10:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:51:19 UTC Mon Mar 1 1993 to 19:10:00 UTC Tue Mar 21 2023, configured from console by console. SW1#show clock 19:10:23.186 UTC Tue Mar 21 2023 SW1#
5. Configure the VLAN interface for management purposes
In order to manage your switch remotely, you will need to configure the switch with an IP address. Because all the switch ports are configured by default for layer 2 forwarding, you need to assign the IP address to a virtual interface.
In my lab, I will configure the interface VLAN 1 with an IP address.
SW1#conf term Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface vlan 1 SW1(config-if)#ip address 172.16.10.1 255.255.255.0 SW1(config-if)#no shutdown SW1(config-if)#
Check to confirm that the interface is up and running.
SW1#show ip int brief vlan 1 Interface IP-Address OK? Method Status Protocol Vlan1 172.16.10.1 YES manual up up SW1#
6. Configure the default gateway
In order to have connectivity outside of your LAN (Local Area Network), you will need to configure a default gateway. The default gateway has the same purpose as the default gateway for your laptop or desktop, it is the exit point from your Local Area Network.
SW1#conf term Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#ip default-gat SW1(config)#ip default-gateway 172.16.10.254 SW1(config)#
7. Configure SSH for remote management
Next, you need to configure the switch for remote management. You will not connect to the switch every time you plan to make a change via the console cable. You will connect to it remotely and configure it from your laptop or desktop.
You can connect to the switch using the telnet protocol or SSH protocol. Because telnet is carrying all the data in clear text, I will only configure SSH.
If you want to read more about telnet, take a look here: https://artofnetworkengineering.com/2023/03/03/how-telnet-and-similar-tools-help-you-troubleshoot/
Add the following config to the vty lines. With these commands, you will enable the use of a local user account for authentication and you will specify the transport protocol that will be used as SSH.
SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#line vty 0 15 SW1(config-line)#login local SW1(config-line)#transport input ? all All protocols none No protocols ssh TCP/IP SSH protocol telnet TCP/IP Telnet protocol SW1(config-line)#transport input ssh SW1(config-line)#
For all the other steps that you need to take in order to finish the SSH configuration, you can read this post: 8 steps to configure SSH on a Cisco router or switch.
8. Save the current configuration
The last step is to save the running configuration to the startup-config file. In case the switch reboots, the current config will not be lost, it will be loaded from NVRAM.
SW1#copy running-config sta SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] 0 bytes copied in 1.317 secs (0 bytes/sec) SW1#
You now have a basic Cisco switch configuration on your device.
I hope you find this post useful. Share it on your social media channels so that other people can read it too.
[…] If your router or switch does not have any configuration on it, you can follow these steps for adding a basic configuration: 8 easy steps for basic Cisco switch configuration. […]