Cisco, Dell, HP, etc Enterprise equipment have a ton of features but, some times because of that it’s hard to weed out the process of setting up the basic stuff. In this How To article I will go through the process of configuring a Cisco Switch from scratch.
- Connect to the Switch using a Console Cable
- Wipe existing configuration if needed.
- Configure Logging Synchronous
- Create admin account
- Assigning a Name to the Switch
- Assign management IP Address to VLAN 1
- Configure log on Banner
- Configure SSH version 2
- Configure a trunk port to connect to the rest of the network
- Create a new VLAN
- Configure a Voice VLAN on a port.
- Cisco Catalyst 3560 48 Port PoE Switch running IOS 12.2
- IOGear USB to Serial Adapter
- Cisco Console Cable
Connecting to the Console Port:
First we’ll have use an console program like Putty to connect to the switch. All managed switches have the console port. It looks like an RJ45 port and is labelled console. Most vendors have started converting the console port to a USB on some of their switches, but they all still have to old port for compatibility/flexibility reasons.
- Speed: 9600
- Data bits:8
- Stop bits: 1
- Parity: none
Wiping the existing configuration:
If you bought the switch off e-bay or second hand there might be an existing configuration on the switch. If the console port is not locked down then you can wipe it with a few commands.
I used this switch (add some others) when I was going through the VCP5-DCV certification so I need to wipe it. Here is how to do that.
LABSWITCH>enable LABSWITCH#write erase LABSWITCH#reload ---Reboot process--- Switch>
After you reload the switch it will prompt you with Cisco initial configuration wizard. It works but, isn’t the fastest.
Enabling Logging Synchronous:
First thing first, the “logging synchronous” command. This command is the handiest command ever made and is also my biggest pet peeve with any other switch vendor besides Cisco. HP, Dell, etc all lease the Cisco IOS from Cisco and modify it for their switches but none of them lease this command so and its a shame because it makes life so much easier.
The Logging Synchronous command retypes the command you were typing when a status update interrupts your typing. Here is an example of a switch without Logging Synchronous”
Now lets enable Logging Synchronous!
Switch>enable Switch#configure terminal Switch(config)#line console 0 Switch(config-line)#logging synchronous Switch(config-line)#exit Switch(config)#line vty 0 15 Switch(config-line)#logging synchronous Switch(config-line)#exit
Now that it’s enable lets say i needed to modify the configuration on FastEthernet 0/1 and a computer that is plugged into Port 20 gets powered on while i’m typing the command for interface FastEthernet 0/1. Now with “Logging Synchronous” the switch automatically retypes everything i was working on a new line.
Before I configure the user account I want to set an enable password. If I don’t do this then anyone with a console cable can plug into the switch and gain full access to me switch.
Switch>enable Switch#configure terminal Switch(config)#enable password P@ssword
This password will be in clear text but we’ll get to that in a moment. Lets continue on to creating a user account.
Time to configure the admin account, I like to get this out of the way early. The following commands will create the admin account. I’m going to use the “secret” command to encrypt the password. If you just use the “password” command, the password will be in the running config in clear text. Also if you “service password-encryption” that encrypts the password using reversible encryption (level 7 Encryption). It’s better then having the password in clear text, but there are many websites on the internet that can reverse that password. Lets look at some examples:
I created 2 accounts admin and admin2 both with the same password of P@ssword. For the admin account I specified the secret switch in the command which encrypts the password with an MD5 hash. Then for admin2 I specified the password switch which stores the password in the clear text. After that I enabled service password-encryption which then encrypted the password with reversible encryption. This is how easy it is to decrypt Cisco Level 7 encryption.
In the end this what you do. Always use “secret” in creating the username and enable “service password-encryption”. The higher level encryption with the secret command will be used over level 7 when specified in the command and if a coworker makes a mistake then the password is not in the running config in plain text. For better password security you would have to use AAA, which is beyond the scope of this post, but we’ll get there in the near future.
Also with “service password-encryption” will also encrypt the enable password as well.
Assigning a Name to the Switch:
You may have noticed that before I wiped the switch the switch’s name was LABSWITCH. Then after the wipe and reload process the Switch’s name is the factory default name of Switch. Let change the name to make it more identifiable.
Switch>enable Switch#config t Switch(config)# hostname TDSheridanLABSwitch TDSheridanLABSwitch(config)#
That’s better, now when you log into the switch by the console cable or by Telnet/SSH it’s easy verify that you are on the right one.
Assign Management IP Address to VLAN 1
To be able to access the switch using Telnet or SSH you’ll need IP Address on a VLAN that you can access from your computer. For the sake of ease I’ll use VLAN 1 in this example because every managed switch comes with VLAN 1. We can save the discussion on whether to use VLAN 1 or not for another time.
TDSheridanLABSwitch> TDSheridanLABSwitch>enable TDSheridanLABSwitch#conf t Enter Configuration commands, one per line. End with CNTL/Z TDSheridanLABSwitch(config)#interface VLAN 1 TDSheridanLABSwitch(config-if)ip address 192.168.0.250 255.255.255.0 TDSheridanLABSwitch(config-if)no shutdown TDSheridanLABSwitch(config-if)exit TDSheridanLABSwitch(config)#IP default-gateway 192.168.0.2 TDSheridanLABSwitch(config)#exit
Now with the IP Address and the Default Gateway assigned we can successfully ping the switch.
Configure logon Banner:
Before we configure SSH lets configure the Message of The Day Logon banner. This will appear everytime you some on connects over SSH. There are multiple different types of log on banners but in the interest of keeping this simple I’ll use the Message of The Day Banner because it can be used universally.
In the screen shot I included all of the different banner options for your reference. When formatting you message of the message the from the help section that says ” LINE c banner-text c, where ‘c’ is a delimiting charter. That sentence sounds more confusing then it really is. All it means is “At the beginning of the message use a special character to designate the beginning of the sentence and then use the same special character at the end of it. Also please don’t use a special character that you want to use within your message of the day”. It’s similar to the windows command line, when you have to place your directory location in ” ” because there is a space in the directory path. For the message of the day quotation marks work well too.
Configure SSH Version 2:
Configuring SSH on a Cisco Switch requires a couple of parts. First we have to enable the HTTP Secure-Server. Then we have to assign a domain name to the switch. If you plan on using AAA for SSH access in the future then assign the the domain name of the directory service the users will be coming from. After the domain name is assigned we have to generate the keys. Then for safety I like to enforce that SSH version 2 to be used. By default when you enable SSH on a Cisco Switch. The switch enables SSH version 1.99, which in Cisco speech that mean SSH version 1 or version 2. I prefer to lock it down to version 2. Then we have to lock the switch down to only use SSH and not Telnet. By default the switch will accept connections from either as soon as an authentication type is configured. The VTY Lines is what Cisco uses to manage Telnet and SSH sessions. On a Cisco Switch you have an least 16 VTY lines(numbers 0 through 15). For a simple switch deployment just select all the lines and you’ll be good to go. Lastly on the VTY Line we’ll specify to check the local user database for authentication.
TDSheridanLABSwitch> TDSheridanLABSwitch>enable TDSheridanLABSwitch#conf t Enter Configuration commands, one per line. End with CNTL/Z TDSheridanLABSwitch(config)#ip http secure-server TDSheridanLABSwitch(config)#ip ip domain-name TDSheridanLAB.com TDSheridanLABSwitch(config)#crypto key generate rsa general-keys modulus 2048 The name for the keys will be: TDSheridanLABSwitch.TDSheridanLAB.com % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, key will be non-exportables...[OK] TDSheridanLABSwitch(config)#ip ssh version 2 TDSheridanLABSwitch(config)#line vty 0 15 TDSheridanLABSwitch(config-line)#transport input ssh TDSheridanLABSwitch(config-line)#login local TDSheridanLABSwitch(config-line)#exit TDSheridanLABSwitch(config)#
Now that we can verify that SSH works.
Now that SSH is working you can finish configuring the switch from the comfort of your desk instead of 3 feet away from the rack…in the loud and cold server room. Also you’ll see that our message of the day banner displayed after I authenticated.
Connecting the switch to the rest of the network:
Most offices these days have VLANs. Whether it be for wireless, voice, or infrastructure reasons. Lets go through the basic VLAN commands to get this switch up and running.
A cisco switch by default has all the ports configure in Dynamic Desirable mode. This means the switch will detect what type of connect is plugged into the port and automatically configure itself for communication. As you can see this can be a security nightmare. So let’s get rid of this concern right off the bat, first before we configure any trunk ports lets configure all the ports to be access ports. Usually most of switch ports on a switch will be used to connect to end devices. It is easier to blanket the entire switch and modify the few trunk ports.
TDSheridanLABSwitch(config)# TDSheridanLABSwitch(config)#interface range fastethernet 0/1-48 TDSheridanLABSwitch(config-if-range)#switchport mode access TDSheridanLABSwitch(config-if-range)#switchport access vlan 1 TDSheridanLABSwitch(config-if-range)#exit
Creating A New VLAN:
To keep this example simple lets say your companies voice VLAN is VLAN 2. Here is how you create a new VLAN on a Switch.
TDSheridanLABSwitch>enable TDSheridanLABSwitch#config t TDSheridanLABSwitch(config)#vlan 2 TDSheridanLABSwitch(config-vlan)#name voice TDSheridanLABSwitch(config-vlan)#exit
Assigning a VLAN to a Port:
Lets say that you have a switch port that is going to be dedicated to only use a phone. In this case we can assign the entire port to VLAN 2. Here is how you do that.
TDSheridanLABSwitch>enable TDSheridanLABSwitch#config t TDSheridanLABSwitch(config)#interface FastEthernet 1/10 TDSheridanLABSwitch(config-if)#switchport mode access (if the port isn't an access port) TDSheridanLABSwitch(config-if)#switchport access vlan 2 TDSheridanLABSwitch(config-if)#exit
Configure a Voice VLAN on a port:
In some organizations, they use passthrough for their phones. In this deployment the phone and computer share one switch port. The physical connection set is as fallows, switch to phone to computer. The phone is basically a 2 port switch that knows how to process vlan tagging.
TDSheridanLABSwitch>enable TDSheridanLABSwitch#config t TDSheridanLABSwitch(config)#interface FastEthernet 1/9 TDSheridanLABSwitch(config-if)#switchport voice vlan 2 TDSheridanLABSwitch(config-if)#exit
Configuring Trunk Port:
Now that we have our switch configured lets connect it to the rest of the network. If you’ve configured more then 1 VLAN, you’ll need to configure a trunk port. A trunk port is usually a connection to another switch that transmits VLAN tag packets. Depending on the age of the Cisco switch it might have compatibility with ISL. ISL is Cisco’s version of VLANs before VLANs became a standard. If the switch supports ISL then you’ll have to set the encapsulation type to dot1q first, before the port can be set as a trunk port.
TDSheridanLABSwitch>enable TDSheridanLABSwitch#config t TDSheridanLABSwitch(config)#interface fastethernet 0/48 TDSheridanLABSwitch(config-if)#switchport trunk encapsulation dot1q TDSheridanLABSwitch(config-if)#switchport mode trunk
Lock Down The Trunk Port:
By default when you configure a switch port as a trunk port, the trunk port is configured to allow all VLANs through the trunk. Need less to say that could be a security issue or at the very least a waste of network bandwidth. Here is an easy way to lock the trunk port down to the vlans your are using. In this demo we’ve been using VLANs 1 and 2, so to finish out this port I’ll lock down our trunk port to VLANs 1 and 2.
TDSheridanLABSwitch>enable TDSheridanLABSwitch#config t TDSheridanLABSwitch(config)#interface fastethernet 0/48 TDSheridanLABSwitch(config-if)#switchport trunk encapsulation dot1q TDSheridanLABSwitch(config-if)#switchport mode trunk TDSheridanLABSwitch(config-if)#switchport trunk allowed vlan none TDSheridanLABSwitch(config-if)#switchport trunk allowed vlan add 1-2
And thats it, there is the basic configuration steps for configuring a Cisco Switch. If there is any questions feel free to leave them in the comments.