Cisco Switch Initial Configuration

The following are the different steps we’ll accomplish in this video:

  • Configure Hostname
  • Disable name resolution
  • Configure management IP address
  • Configure default gateway
  • Configure a local username and password
  • Configure enable password
  • Configure secret password
  • Configure console password
  • Configure synchronous logging on console
  • Configure an exec timeout of 10 minutes over console
  • Configure telnet access with a password
  • Configure synchronous logging over vty (telnet) lines
  • Configure exec timeout of 5 minutes over vty (telnet) lines
  • Configure vty (telnet) and console lines to use the local username and password
  • Encrypt all current and future vty, console, and enable passwords
  • Once you’ve done all this be SURE to copy your running-config to startup-config

Steps:

  • Configure Hostname – This is essentially the router’s name. It’s really easy to set.
Switch#conf t  
Switch(config)#hostname Switch1 (or whatever you want it to be)  
Switch1(config)#  
  • Disable name resolution – This happens when you type in something wrong on accident and the router/switch thinks that you want to resolve that name to an ip address
Switch1(config)#no ip domain-lookup  
  • Configure management IP address (to something like 192.168.0.100 with a subnet mask)
Switch1(config)# int vlan1  

Keep in mind that this is not a physical interface, it’s a logical interface. By default, on all new switches, Cisco throws every physical interface (i.e. fa0/1, fa0/2, etc) into vlan1. You can see which interfaces are assigned to which vlan by typing “show vlan brief”

Switch1(config-if)#ip address 192.168.0.100 255.255.255.0  
Switch1(config-if)#no shut  
  • Configure default gateway – The default gateway is your ip address of the router
Switch1(config)#ip default-gateway 192.168.0.1  
  • Configure a local username and password
Switch1(config)# username <username> password <password>  
(so for example) Switch1(config)# username TestAdmin password cisco
  • Configure enable password
Switch1>en  
Switch1#conf t  
Switch1(config)#enable password <password>  

You can verify this worked by exiting all the way out and then at the “Switch1>” prompt, type en. If you’re prompted for a password, success!
The problem with this is that if you do a show running-config, you’ll see this password listed in plain text. We’ll fix that in just a second.

  • Configure secret password – this overrides the enable password that we just set
Switch1>en  
Switch1#conf t  
Switch1(config)#enable secret <secret password>  

If you log all the way out of everything and type en at “Switch1>”, you’ll see that the original password you set (in the previous step) no longer works. The secret password overwrites that step and makes sure that the password doesn’t show in plain text.If you do a show run, you’ll now see two entries:
1. enable secret 5 $1$qpye$.6foHFFgbCR3oB2dgqjn0 (or something similar)
The ‘5’ means that it’s hashed using MD5 (which is bad in todays encryption world. This is outdated).
2.enable password You’ll also see the username and password that we created previously in step 5 is listed plain text.

  • Configure console password – makes sure that someone MUST authenticate when trying to console in using a rollover cable (a rollover cable is an RJ-45 to Serial connector). To use it with most computers nowadays, you usually have to have a Serial-to-USB adapter, seeing as most computers don’t have a serial port anymore.
Switch1>en  
Switch1#conf t  
Switch1(config)#line con 0 (or just ‘con’ for short)  
Switch1(config-line)#password <password>  
Switch1(config-line)#login  

This command is crucial. Without it, you won’t be able to log in over the console. Login forces the switch to use that password over the line.

  • Configure synchronous logging on console – This prevents the switch from displaying informational messages that get in your way when you’re trying to type
Switch1(config)#line con 0  
Switch1(config-line)#logging synchronous  
  • Configure an exec timeout of 10 minutes over console – This is a timeout. If there’s been no activity for X amount of minutes, you’ll get logged out. It’s just a basic security basic feature. You want this to be long enough that you don’t have to keep constantly logging in (like every minute or so), but you also don’t want it so long that someone could potentially hop on your computer if you step away for a minute.
Switch1(config-line)#exec-timeout <minutes>  
So, for example Switch1(config-line)#exec-timeout 10  
  • Configure telnet access with a password – Each switch has a different number of simultaneous lines that it supports.
  • To check to see how many lines your switch supports, you can type:
Switch1(config)#line vty ?  

After doing this, you’ll see something like “(0-15) First Line number”. This tells you that you have 16 simultaneous telnet lines available

Switch1(config)#line vty 0 4  

I’m only going to configure line 0 through 4, because I don’t need that many lines available. If you wanted, you could do line vty 0 1 to only configure one line available

Switch1(config-line)#password <password>  
Switch1(config-line)#login  

This is the same as the console login. You MUST type this.

  • Configure synchronous logging over vty (telnet) lines
Switch1(config-line)#logging synchronous  
  • Configure exec timeout of 5 minutes over vty (telnet) lines
Switch1(config-line)#exec-timeout 5  

It’s probably a good idea to set this timeout to a lower time than your console line timeout, simply because it’s more likely that if you’re logging in remotely that someone could shoulder-surf or get on your computer than it is for someone to hijack a physical console-in session

  • Configure vty (telnet) and console lines to use the local username and password
    In step 10, we just typed login after we set the password. If you want, you can instead type login local. This will require a username and password (that we set in step 4) rather than just a password that we set on the line.

  • Encrypt all current and future vty, console, and enable passwords
    At this point, if you do a show run, you’ll find that all of our line passwords (console and vty) as well as our local user passwords are all listed in plain text. To encrypt these, type:

Switch1(config)#service password-encryption  

This encrypts any current passwords we have, as well as any future passwords. Do a show run again to verify this

  • Once you’ve done all this be SURE to save all of your changes. Do this by typing:
Switch1# copy running-config startup-config  

A shorter way to do this is copy run start. If we don’t do this, when we restart our switch, all of our changes will be lost.

Leave a Reply

Your email address will not be published.