Configuring Cisco Switches: A Step by Step Guide
Cisco offers some of the world’s best networking equipment, however knowing how to configure those devices can be a challenge. In this article, we’ll review exactly how to configure a Cisco switch, and answer some frequently asked questions along the way.
Switches are a vital part of any network deployment and are often overlooked due to their native simplicity. Switch implementations can be easy for small networks, but quickly get complicated with V-LAN tagging, and round-robin scheduling for larger enterprise networks.
Unboxing Your Cisco Switch
You’ll want to verify your make and model of Cisco switch, as some models may have additional features and functionality that you’ll want to be aware of. Power on the switch and ensure it is in working order.
In order to continue, we’ll need to send commands to the switch in order to configure it before it is put on the network. In order to do this, we’ll use a popular command-line tool called PuTTY. PuTTY is a free open-source tool you can use to connect and configure devices through SSH and Telnet.
If for any reason you cannot use PuTTY, be sure to check out our list of PuTTY alternatives.
Connecting with PuTTY
- Using a 9-pin serial to USB cable, connect your switch to your laptop and launch PuTTY. Under the connection type settings, check the Serial options and mirror the settings below.
- Under the Category list on the left side, choose the Serial option. When you see the page that controls the local serial lines, enter the COM port your PC is using to connect with the switch. You can find this under Device Manager if you’re unsure. Example: COM1.
- For the digital transmission speed. This speed is based on the model of your switch. Series 300 and 500 switches use a baud of 115200.
- Under Data bits enter the value 8.
- Under Stop bits enter a value of 1.
- Under the Parity drop-down select the None option.
- Go to the Flow Control menu and select the None option as well.
Click Save in PuTTY and start the connection. Under the Category List choose the Session option from the left-hand column.
Enter a name for your new session so you can save it and use it in the future for other Cisco configurations. Name it something familiar and then click Save.
Click the Open button to launch the command-line interface (CLI).
Setting Privileged EXEC Mode
Under the factory default setting you do not need to enter a password; simply type Enable and then enter the Global Configuration Mode of the Cisco switch.
Type Enable into the console, then enter the following command:
Switch# configure terminal Switch(config)#
Next, we’ll assign a hostname to the Cisco switch. This will make it easier to find and allow you to set it to a naming convention that fits your network. The example below assigns the switch a name of “switch1:”
Switch(config)# hostname access-switch1 access-switch1(config#1
Setting a password on your Cisco switch
Once your hostname is set you’ll want to secure the privileged EXEC mode account to prevent anyone from making unauthorized changes. To assign an admin password, enter the following:
access-switch1(config)# enable secret YoUrS3creTP@ssw0rd
The above example uses YoUrS3creTP@ssw0rd
as an example. You can of course use whatever valid password you’d like. Just ensure it is a strong password.
Telnet & Console Access
The next step is to configure additional passwords for both Telnet and console access. Missing this step could leave your device vulnerable and wide open to anyone who might be poking around. Below are the commands for configuring both Console and Telnet passwords:
Console: access-switch1(config)# line console 0 access-switch1(config-line)# password YoUrS3creTP@ssw0rd access-switch1(config-line)# login access-switch1(config-line)# exit access-switch1(config)# Telnet: access-switch1(config)# line vty 0 15 access-switch1(config-line)# password YoUrS3creTP@ssw0rd access-switch1(config-line)# login access-switch1(config-line)# exit access-switch1(config)#
Setting Device Access
Next, we’ll decide what IP address will be allowed to Telnet into the devices through tools like PuTTY. This works similar to how a whitelist would work, so only IP addresses listed in this section will be allowed to remote in for access.
Replace the example 0.0.0.0 IP address with your own, and ensure that the IP addresses you are adding are static reservations, so you don’t lose access:
access-switch1(config)# ip access-list standard TELNET-ACCESS access-switch1(config-std-nacl)# permit 0.0.0.0 access-switch1(config-std-nacl)# permit 0.0.0.0 access-switch1(config-std-nacl)# exit
Next, you can choose to set your network’s Access Control Lists (ACLs) to the virtual terminal lines. An ACL list will help ensure that only administrators can connect to the switch via Telnet:
access-switch1(config)# line vty 0 15 access-switch1(config-line)# access-class TELNET-ACCESS in access-switch1(config-line)# exit access-switch1(config)#
Setting the Management Interface
The next step is to choose which IP address will manage the Cisco switch. This will require you to configure a network management IP address. Since Cisco switches don’t come with factory default IP addresses, you won’t be able to connect via SSH or Telnet yet.
You can create a virtual LAN on the switch and make a virtual interface with an IP address by doing the following:
access-switch1(config)# interface vlan 1 access-switch1(config-if)# ip address 10.1.1.100 255.255.255.0 access-switch1(config-if)# exit access-switch1(config)#
The above command creates a new management IP address on VLAN 1 using an IP address of 10.1.1.100 and a subnet mask of 255.255.255.0 in the above example.
Setting the default gateway
We’ll need to tell the Cisco switch where to look on the network for the router. This is called assigning the default gateway of the device and will be one of the last steps before the switch is able to contact other devices. Change the example 10.1.1.10 IP address to the IP address of your router:
access-switch1(config)# ip default-gateway 10.1.1.10
Closing Unused Ports
It’s best practice to close off any unused ports on the switch. This significantly reduces the number of points an attacker could use to gain unauthorized access to the network. All ports are open by default so you’ll want to make sure you follow this step.
The command below will close port 22 and 100-1000. You’ll want to change this to reflect what is right for your network:
access-switch1(config)# interface range fe 22/100-1000 access-switch1(config-if-range)# shutdown access-switch1(config-if-range)# exit access-switch1(config)#
Save Your Work
Save your configurations to ensure that they are written to memory so they are not lost when the device is restarted with the following command:
access-switch1(config)# exit access-switch1# wr
Setup NetFlow for Management
This next step is optional but enables the use of a network traffic analyzer to monitor packets through the switch using the NetFlow protocol. By default, this is off but it is beneficial to turn it on now so you can use it in the future.
To start, we must enter Global Configuration Mode by entering the following command:
Switch# configure terminal
Next, we have to publish a flow record. Below the flow record is named Example1, you can pick whatever you’d like.
#flow record Example1
After that, we’ll need to outline the source address, destination, and protocol as well as the transport source port, destination, and interface options. Enter the following command:
Switch# match ipv4 source address Switch# match ipv4 destination address Switch# match ipv4 protocol Switch# match transport source-port Switch# match transport destination-port Switch# match ipv4 tos Switch# match interface input Switch# collect interface output
Next, we’ll define the data that will be collected on the flow record by entering the next set of commands:
Switch# collect interface output Switch# collect counter bytes Switch# collect counter packets Switch# collect timestamp sys-uptime first Switch# collect timestamp sys-uptime last
Next, we’ll build the Flow Exporter which allows the flow to store the information that you wish to export to a separate network analyzer. We’ll first need to assign it a name.
Switch# flow exporter Exampleexport
Next, enter the IP address of the server that your network traffic analyzer resides on:
Switch# destination 123.456.79.10
The following command sets the source interface that will be used to export the data:
Switch# destination source gigabitEthernet 0/1
Set the port below to match the listening port of your network traffic analyzer software:
Switch# transport UDP 1137
Set the type of protocol data that you wish to export:
Switch# export-protocol netflow-v9
Set a timeout of 60 to avoid any data loss during network disturbances:
Switch# template data timeout 60
Last but not least we’ll need to create a flow monitor. Each monitor needs at least one record to properly export data. Below we’ll create one in six steps and associate it with our previous flow record.
Create the flow record with the following command:
Switch# flow monitor Examplemonitor1
Next, let’s associate the new flow monitor with the flow record we created earlier:
Switch# record Example1
Switch# exporter Exampleexport
To help eliminate the possibility of data loss we’ll set the cache timeout active to 60 and the cache timeout inactive to 15 by doing the following:
Switch# cache timeout active 60 Switch# cache timeout inactive 15
Let’s exit and input the interfaces we created:
Switch# exit
For the interfaces to work they must be defined so the NetFlow protocol function will work. Assuming this connection is over ethernet the following command will configure NetFlow over ethernet:
Switch# interface gigabitEthernet 0/1
Now we’ll tell our newly created monitor where and how to collect data. By simply defining input the command will collect data in both directions:
Switch# ip flow monitor Examplemonitor1 input
If you wish to only use one interface for NetFlow data collection, you’ll need to specify both input and output by defining the following:
Switch# ip flow monitor Examplemonitor1 input Switch# ip flow monitor Examplemonitor1 input
Exit the configuration menu by entering the following command:
Switch# exit
Save your configuration changes by using the following command:
access-switch1(config)# exit access-switch1# wr
Cisco Switches FAQs
How do I set a static IP address on a Cisco switch?
You can create a template file on your desktop that can pull network information quickly from the template to set the IP address of your switch with relative ease. Just be sure to change out the information in the template wrapped in brackets below before saving. You can save this file to your desktop for easy access.
Config t Interface <VLAN ID> No ip address DHCP Y No ip address <old IP address> IP address <new IP address> <subnet mask> Exit IP default-gateway <gateway IP address>
Now under the administration menu of the switch go to Switch Management.
Under that menu, click on Administration, then File Management and choose File Operations. Inside the File Operation screen, enter the following settings:
Operation Type: Update File Destination File Type: Running Configuration Copy Method: HTTP/HTTPS File Name: (Navigate to the path where you stored the file)
Click Apply.
Now your switch will have a static IP address based on the settings you outlined in the text file.
Are Cisco switches plug and play?
Nowadays most switches are ready right out of the box. Most network administrators will want to configure settings manually and to their liking before joining the device to the network.
How do I know what ports to open or close?
For enterprise and business environments most system administrators like to use the “zero-trust model” for network security. In short, closing all ports and only opening them as needed is seen as a good security practice. You can get a better understanding of what devices are using what ports by running a port scanner software such as LanSweeper and reviewing the NAT policies and access rules inside your firewall.
Conclusion
In a world where switches and other devices just “work” it’s good to know how to configure equipment to your liking so it fits best with your security and network architecture. Do you enjoy using Cisco switches? Let us know in the comments below.