Basic Cisco
Switch Configuration
In my opinion,
the Cisco switches are the best in the market. Versatile, reliable, flexible
and powerful, the Cisco switch product line (such as the 2960, 3560, 3650,
3850, 4500, 6500, 9400 series etc) offer unparalleled performance and features.
Although a
Cisco switch is a much simpler network device compared with other devices (such
as routers and firewalls for example), many people have difficulties to
configure a Cisco Catalyst Switch.
Unlike other
lower class switch vendors (which are plug-and-play), the Cisco switch needs
some initial basic configuration in order to enable management, security and
some other important features.
In this
article I will describe the basic steps needed to configure and setup a Cisco
switch from scratch. I don’t like graphical GUI or web management at all, so I
will show you command line configuration (CLI) which is much more powerful and
actually forces the administrators to learn what they are doing on the device.
1. Hostname
2. Management IP
3. IP default gateway
4. Local User and Password
5. Enable secret password
6. Console and VTY logins
7. Exec-timeout
8. Service password encrypt
9. Enable ssh
10. Copy run start
11. Add Login banner
12. Enable Tacacs
13. Enable DNS
14. Enable NTP
15. VRF (virtual Routing Forwarding)
16. Create vlans
17. Add SVI (Ip address to VLAN)
18. Set vtp domain
19. Set up Standby HSRP
20. Setup Trunk port - Port Channel
21. Assign Access Ports
22. Spanning-tree
23. SPAN and RSPAN
24. Setup Routing OSPF/BGP/EIGRP/RIP
25. ACL Access-Control List
26. Route-map
27. Redistribution
28. Summarization
29. 802.1Q Trunks
30. IPv6 and IPv4
STEP1: Connect to the device via console
Use
a terminal emulation software such as PuTTY and connect to the console of the
switch. You will get the initial command prompt “Switch>”
Type
“enable” and hit enter. You will get into
privileged EXEC mode (“Switch#”)
Now,
get into Global Configuration Mode:
Switch# configure terminal
Switch(config)#
Note: The switch will not ask you
for a password when entering into Privileged EXEC mode (i.e after typing
“enable”) if it has the default factory configuration. See Step 3 below about
setting up a password for the Privileged EXEC mode.
Switch(config)# hostname access-switch1
access-switch1(config)#
STEP3: Configure an
administration password (enable secret password)
access-switch1(config)# enable secret somestrongpass
The
password above will be used to enter into Privileged EXEC mode as described in
Step 1 above.
It is a very good security practice to lock-down all
access lines of a switch with a password. Although it is much better to configure
an external AAA server (for centralized
Authentication Authorization and Accounting), in this article we will just
configure a password on each access line (VTY lines for Telnet and Console
line):
access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpassaccess-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#
access-switch1(config)# line console 0
access-switch1(config-line)# password strongconsolepassaccess-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#
access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100access-switch1(config-std-nacl)# permit 10.1.1.101
access-switch1(config-std-nacl)# exit
!Apply the
access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS inaccess-switch1(config-line)# exit
access-switch1(config)#
STEP6: Assign IP address to
the switch for management
!Management IP
is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0access-switch1(config-if)# exit
access-switch1(config)#
STEP7: Assign default
gateway to the switch
access-switch1(config)# ip default-gateway 10.1.1.254
STEP8: Disable unneeded
ports on the switch
! This step is
optional but enhances security
! Assume that
we have a 48-port switch and we don’t need ports 25 to 48
access-switch1(config)# interface range fe 0/25-48
access-switch1(config-if-range)# shutdownaccess-switch1(config-if-range)# exit
access-switch1(config)#
STEP9: Configure Layer2 VLANs and assign ports to the them
By
default, all physical ports of the switch belong to the native VLAN1. One of
the most important functions of an Ethernet switch is to segment the network
into multiple Layer2 VLANs (with each VLAN belonging to a different Layer3
subnet).
In
order to do the above Layer2 segmentation you need to create additional VLANs
from the default VLAN1 and then assign physical ports to these new vlans. Let’s
create two new vlans (VLAN2 and VLAN3) and assign two ports to each one.
! First create
the Layer2 VLANs on the switch
access-switch1(config)# vlan 2
access-switch1(config-vlan)# name TEACHERSaccess-switch1(config-vlan)# exit
access-switch1(config)# vlan 3
access-switch1(config-vlan)# name STUDENTS
access-switch1(config-vlan)# exit
! Now assign
the physical ports to each VLAN. Ports 1-2 are assigned to VLAN2 and ports 3-4
to VLAN3
access-switch1(config)# interface range fe 0/1-2
access-switch1(config-if-range)# switchport mode accessaccess-switch1(config-if-range)# switchport access vlan 2
access-switch1(config-if-range)# exit
access-switch1(config-if-range)# switchport mode access
access-switch1(config-if-range)# switchport access vlan 3
access-switch1(config-if-range)# exit
STEP10: Save the
configuration
access-switch1(config)# exit
access-switch1# wr
The
above command to save the configuration can also be accomplished
with copy run start
The above are some steps that can be followed for basic
set-up of a Cisco switch. Of course there are more things you can configure
(such as SNMP servers, NTP, AAA, Vlan
trunking protocol, 802.1q
Trunk ports, Layer
3 inter-vlan routing etc) but those depend
on the requirements of each particular network.
Another
important precaution is to configure also a password for the VTP domain, so
that any new switch connected must have the domain password configured by the
administrator before participating in the domain.
STEP 11: VTP configuration
VTP Server Switch:
! Configure first a name for the VTP domainVtp-server(config)# vtp domain mynetworkvtpname
! Configure the switch in server mode
Vtp-server(config)# vtp mode server
! Configure a password for the domain
Vtp-server(config)# vtp password vtp123
VTP Client Switch:
! Configure first a name for the VTP domain
Vtp-client(config)# vtp domain mynetworkvtpname
! Configure the switch in client mode
Vtp-client
(config)# vtp mode client
! Configure the domain password in order to be able
to participate
Vtp-client(config)# vtp password vtp12
Some Useful “Show” Commands
After
configuring the basic steps above, let’s see some useful commands to monitor
your configuration or troubleshoot possible problems:
access-switch1# show run (Displays the current running configuration)
access-switch1# show interfaces (Displays the configuration of all interfaces and the status of each
one)access-switch1# show vlan (Displays all vlan numbers, names, ports associated with each vlan etc)
access-switch1# show interface status (Displays status of interfaces, speed, duplex etc)
access-switch1# show mac address-table (Displays current MAC address table and which MAC address is learned on each interface)
No comments:
Post a Comment