The first step in configuring a Cisco switch is to connect to the switch via a console cable. This can be using a application such as Putty. If you don't know how to establish a console connection to the switch via Putty, a in-depth guide can be found here .
Once a console connection has been established, press any key to get started. On the screen, you should see a terminal-like prompt starting with the word "Switch" (or something else if this switch's hostname has been previously assigned). To start entering commands, the console must be in Privileged Execution Mode. To get there, enter the command enable (or "en" for short). If there is a secret password, it will be prompted here. If not, one can be set up later. A indicator that the console is in Privileged Execution Mode is that the switch's name will end in # instead of >.
Once the console is in Privileged Execution Mode, a variety of commands can be used. Some common ones are listed below. You can see all possible commands by typing ?.
For the sake of this documentation, the 4 common commands used in Privileged Execution Mode are:
configure terminal (or "conf t" for short) - Enter the Global Configuration Mode.show running-config (or "sh run" for short - Shows the current running configuration.write memory - (or "wr mem" for short) Saves the current running config to the startup config. Think of it as saving any changes you made.exit - exits out of Privileged Execution ModeOnce a console connection has been established and it is in Privileged Execution Mode, Global Configuration Mode can be entered. To enter Global Configuration Mode, enter conf t. The name of the switch should have previously ended in a # sign, but should now end in (config).
Once the console is in Global Configuration Mode, a variety of different commands can be used. Note that Privileged Execution Mode commands cannot be used here. Some common Global Configuration Mode commands are listed below. You can see all possible commands by typing ?.
For the sake of this documentation, the 4 common commands used in Privileged Execution Mode are:
hostname - Used to change the switch's hostnameenable secret - Enables or changes the secret password to get into Privileged Execution Mode.line vty # # - Configures remote access rules for SSH and Telnetexit - exits out of Global Configuration Mode. Goes back to Privileged Execution ModeAssigning a hostname is a good first step when configuring a switch. This hostname will be what other devices see the switch as, and is a good way to help organize a network. To change a switch's host name, enter the Global Configuration Mode.
Hint - You can get to Global Configuration Mode by enteringenableand thenconfigure terminal
The format for changing the hostname is hostname {new hostname}. For example, if I wanted my switch to be named "CoreSwitch1" I would enter hostname CoreSwitch1
A good second step and a good security practice is to assign a secret password for console access. This password is required before Privileged Execution Mode can be entered. To enter a secret password, enter the Global Configuration Mode.
The format for entering or changing the secret password is enable secret {secret password}. For example, if I wanted the secret password for my switch to be "Password123" (not a very secure password), I would enter enable secret Password123
Assuming access to the switch will be needed later, but physically connecting via the console isn't a viable option, a remote access protocol will need to be enabled and configured. Two popular options for remote access into Cisco switches are Telnet and SSH. Because SSH is inherintly more secure than Telnet, that is what this guide will cover. To enable SSH access, enter the Global Configuration Mode.
The format to enable SSH access is line vty # #. vty stands for Virtual Teletype and is a virtual port only used for remote access via SSH or Telnet. The pound signs represent the number of active connections allowed for remote access. For example, the command line vty 0 4 will open a total of 5 (0,1,2,3,4) virtual interfaces that can be accessed. Next, we need to enable SSH on these virtual interfaces. This is done with the command transport input ssh. We then need to allow users to log-in locally with the command login local. Finally, we want our SSH passwords to be safely encrypted on the switch. The best type of encryption available for Cisco switches is type 8. This encryption method is used with the command password 8. A list of all encryption types and best practices when using them is available here.
Note - This password SHOULD be different than your secret password entered earlier, just for security purposes. Some newer models of Cisco switch will not even allow the passwords to be the same.
Now we need to make a user to use when logging in via SSH. Exit out of editing SSH settings by running the command exit. Then make a new user with the following command:username {username here} password {password here}. For example, if my username was "Admin" and my password was "Password321", I would enterusername admin password Password321
SSH is completely configured at this point, however we need to assign a vlan and IP address to that we have something to SSH into. For this, make sure you are in Global Configuration Mode and enter the command interface vlan {#}. Replace the "#" with your vlan number. For example, if I was using vlan 1, I would enterinterface vlan 1. This command will automatically create vlan 1 for us. Next we need to assign a IP address to this switch within this vlan. This is done with the commandip address {ip address of switch} {subnet mask of switch}. For example, if I wanted to assign the IP address 192.168.1.10 with the subnet mask 255.255.255.0, I would enterip address 192.168.1.10 255.255.255.0. Enter the command no shut (short for no shutdown) to turn on the interface. The command is somewhat backwards logic, as instead of saying "turn on this interface" you are saying "do not turn off this interface", therefore the interface is turned on.
Now we need to assign that vlan and IP to a specific port on our switch. To do this, make sure you are in Global Configuration mode and enter interface {interface name}{interface number}. You can see all available interface by entering the commandshow interface summary while in Privileged Execution Mode. For example, if I wanted to use interface "GigabitEthernet1/0/25" I would enter the commandinterface GigabitEthernet1/0/25 (this GigabitEthernet can be appreviated to "Gi"). Then enter the command switchport mode access to change this interface into an access port. Then assign it the defined vlan from earlier using the commandswitchport access vlan {#}. Using the example from earlier with vlan 1, my command would be switchport access vlan 1. A description can also be added to this port for better organization. Use the commanddescription {description here}.
You should now be able to access the switch securely via SSH. To confirm this, we can do a couple things. First, exit back to Privileged Execution Mode and run the commandshow vlan. This will show a list of all interfaces and their assigned vlans. You should see the interface you assigned earlier under the appropriate vlan. If everything looks right, you can either plug your switch into your existing network through the configured interface and attempt to ping it, or you can test locally by connecting a computer to the switch via the configured interface. Change the PC's network interface to a static address in the same vlan as the switch and see if you can ping it. If you can, attempt to SSH into it as well. ssh {username created earilier}@{switch address}. If you can successfully SSH into the switch, then this part of the setup is complete.
Now that the switch and managment interface is set up, the remaining ports need to be configured. Similarly to what was done in the previous step, the interfaces need to all be assignned a vlan. Instead of doing it one by one, a range can be defined. Exit to Global Configuration Mode and enter the commandinterface range {interface range}. For example, if I wanted to select interfaces GigabitEthernet1/0/1 throught GigabitEthernet1/0/24, I would runinterface range GigabitEthernet1/0/1-24. After the interface(s) have been selected, commands such as switchport mode access, switchport access vlan#, and description {description here} can be run and will be applied to all selected interfaces.