8 easy steps for basic Cisco switch configuration

In this post, I would like to share with you the initial steps that need to be taken in order to have a basic Cisco switch configuration.

Gulian Technology

Basic Cisco Switch Config
Gulian Technology

1. Configure a password to protect the access to User mode

When you connect to a Cisco Catalyst switch via the Console cable for the first time, you are placed in the User EXEC mode. In this mode you can run different show commands, but you cannot modify the configuration of the switch.

If you do not know how to connect to a Cisco switch with a console cable, take a look at this post: How to connect to a Cisco router via the console cable.

When you connect to a new switch that does not have any configuration, you will be prompted to enter the initial configuration dialog. You need to answer with no. I will show you how to configure the switch, step by step.

Initial configuration dialog
Initial configuration dialog

As you can see, I was not prompted to enter any password. For security reasons and for best practices, it is recommended to protect the access to the user EXEC mode with a password.

Enter the following commands on your device:

Switch>en
Switch#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line console 0
Switch(config-line)#login 
% Login disabled on line 0, until 'password' is set
Switch(config-line)#password Cisco123
Switch(config-line)#

Now, exit from the Global config mode and test if you are prompted for a password.

Switch(config-line)#exit
Switch(config)#exit
Switch#
*Mar  1 00:16:07.776: %SYS-5-CONFIG_I: Configured from console by console   
Switch#exit

2. Configure a password to protect the access to Privileged mode

The next step is to configure a password that will protect the access to the Privileged mode. In Privileged mode you can run different show commands. In addition to this, you can run some commands which may affect the availability of your device. For example, you can reboot the switch. Also, from this mode, you can go to Global configuration mode by entering the enable command and you can change the switch configuration. This is why it is imperative to protect the access to this mode.

Switch>enable 
Switch#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#enable passw
Switch(config)#enable password Cisco123
Switch(config)#
Configure a password for Privileged mode
Configure a password for Privileged mode

Unfortunately, the password is stored in clear text in the running-config.

In order to address this, you can use the service password-encryption command to hide the password or you can use the enable secret command which, by default, stores the secret encrypted in the running-config.

Switch(config)#service password-encryption 
Switch(config)#
Switch(config)#
Switch(config)#enable secret Cisco

You can check if the passwords are now hidden. If you configure both commands, enable password and enable secret, the enable secret command takes precedence.

Now you can test if the access to the privileged mode is protected.

Switch#disable
Switch>enable
Password: 
Switch#

3. Set the switch hostname

In order to identify your device, you need to give it a name. Use the hostname command for this purpose.

Switch#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#

As you can see from the screenshot below, the switch name is immediately changed.

Change switch name
Change switch name

4. Configure the clock

All devices fail from time to time. This is why it is so important to configure the time on your switch. This way you will know when it happened.

Wrong time
Wrong time

You can configure the time manually or you can use NTP. I will show you how to configure NTP in a different post.

To configure the time manually, run this command:

SW1#clock set 19:10:00 21 March 2023
SW1#
*Mar 21 19:10:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:51:19 UTC Mon Mar 1 1993 to 19:10:00 UTC Tue Mar 21 2023, configured from console by console.
SW1#show clock
19:10:23.186 UTC Tue Mar 21 2023
SW1#      
Adjust the time settings
Adjust the time settings

5. Configure the VLAN interface for management purposes

In order to manage your switch remotely, you will need to configure the switch with an IP address. Because all the switch ports are configured by default for layer 2 forwarding, you need to assign the IP address to a virtual interface.

In my lab, I will configure the interface VLAN 1 with an IP address.

SW1#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface vlan 1
SW1(config-if)#ip address 172.16.10.1 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#
Add an IP address for management purposes
Add an IP address for management purposes

Check to confirm that the interface is up and running.

SW1#show ip int brief vlan 1
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  172.16.10.1     YES manual up                    up      
SW1#
Check the Interface status
Check the Interface status

6. Configure the default gateway

In order to have connectivity outside of your LAN (Local Area Network), you will need to configure a default gateway. The default gateway has the same purpose as the default gateway for your laptop or desktop, it is the exit point from your Local Area Network.

SW1#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#ip default-gat
SW1(config)#ip default-gateway 172.16.10.254
SW1(config)#
Add a default gateway
Add a default gateway

7. Configure SSH for remote management

Next, you need to configure the switch for remote management. You will not connect to the switch every time you plan to make a change via the console cable. You will connect to it remotely and configure it from your laptop or desktop.

You can connect to the switch using the telnet protocol or SSH protocol. Because telnet is carrying all the data in clear text, I will only configure SSH.

If you want to read more about telnet, take a look here: https://artofnetworkengineering.com/2023/03/03/how-telnet-and-similar-tools-help-you-troubleshoot/

Add the following config to the vty lines. With these commands, you will enable the use of a local user account for authentication and you will specify the transport protocol that will be used as SSH.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#line vty 0 15
SW1(config-line)#login local  
SW1(config-line)#transport input ?
  all     All protocols
  none    No protocols
  ssh     TCP/IP SSH protocol
  telnet  TCP/IP Telnet protocol

SW1(config-line)#transport input ssh
SW1(config-line)#
Configure vty lines
Configure vty lines

For all the other steps that you need to take in order to finish the SSH configuration, you can read this post: 8 steps to configure SSH on a Cisco router or switch.

8. Save the current configuration

The last step is to save the running configuration to the startup-config file. In case the switch reboots, the current config will not be lost, it will be loaded from NVRAM.

SW1#copy running-config sta
SW1#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]
0 bytes copied in 1.317 secs (0 bytes/sec)
SW1#
Save the current config to the startup-config file
Save the current config to the startup-config file

You now have a basic Cisco switch configuration on your device.

I hope you find this post useful. Share it on your social media channels so that other people can read it too.

Processing…
Success! You're on the list.

One comment

Leave a Reply