Configuring a CISCO IOS Switch

Things to know before setting up a network switch

 There are a lot of nuances related to the configuration of a switch that aren’t obvious to
beginners.
 Here are some basic tips to be aware of before you start.
 Command line completion, the tab key, and up/down arrows are time savers

 Typos are a pain, and typing out long commands is tedious. Fortunately, Cisco’s IOS has
features that can help you avoid typos and work faster:

1. Command Line completion. Once you type enough of a command that it is unique, you
can just hit enter. For example, instead of typing “configure terminal”, you can use the
command “config t” like this:

Switch#config t
[Enter configuration commands, one per line. End with “CNTL/Z”.]
Switch(config)#

2. Tab completion. Hitting the tab key once you have enough unique text on the screen will
auto-complete a command. For example, hitting tab after “conf” auto-completes to “configure”:

3. Command scrolling with up/down keys. Need to rerun a command? You can scroll
through your command history with the up/down arrows on your keyboard.

4. Bonus! Use “?” for added help. Hitting “?” at the beginning of a command prompt will
show you all the commands that are available in the current context. Hitting “?” after a
command will show you all the parameters that are available in that context.

Access levels and modes

 There are several Cisco access levels and modes that allows one to run different
commands.
Cisco Mode What the Command to Command to
prompt enter exit
looks like from upper- to upper-
level level
mode mode

User EXEC Mode Switch> Default mode logout or exit

Privileged EXEC Switch# enable disable

(access from
EXEC) Mode

Global Switch(Config)# config t CTRL/Z

configuration
(access from
Privileged EXEC)
Mode

Interface Switch(config- interface exit

configuration if)# <interface
(access from name>
global
configuration)
Mode

Line level Switch(config- line <line exit

configuration line)# name/
(access from number>
global
configuration)
Mode
CISCO IOS Command Hierarchy
Console ports and cables
 When you’re connecting to a switch for the first time, you’re often doing it through the
console port. Usually, this is done by connecting a serial cable to the switch. You can
also use a USB to serial adapter to make the connection.
 Once the physical connections are made, how can you actually access the CLI? By using
a terminal emulator. For Windows, there are several popular emulator options, like
Putty, RealTerm, and TerraTerm. MacOS can make use of the same emulators as Linux,
including screen, minicom, and tmux.

Startup config vs. running config

 Your switch actually has two “config” types and locations. A switch’s running config is
stored in RAM. Its startup config is stored in nonvolatile memory.
 Why is this important? Take it from someone who has made the mistake too many
times: if your configuration changes aren’t saved to the startup config, you’ll lose them
when the switch reboots. As you make changes to the running config, you’ll see them
take effect in real time. However, you need to explicitly save those changes to the
running config for them to persist. Save yourself some pain and double-check before
moving on.

How to configure a network switch

 Now that you know the basics, we can move onto the commands. Here, we’ll walk
through 10 of the most important basic network switch configuration steps.
 While any particular production deployment will likely require specific additional steps
(e.g. for additional hardening and user management), these commands will help you hit
the ground running.

Note: This example commands and output based on Cisco Packet Tracer’s default 2960
switch running SW version 15.0(2)SE4.
Step 1: Connect to the console
If you’re doing a lab with a simulator/emulator or accessing the CLI via SSH, you can skip this
step.

You need to start with a connection to the console port. That means configuring your terminal
emulator software and connecting your rollover cable between your switch’s console port and
your PC.
Many Cisco switches use these serial settings:

 Baud rate: 9600
 Data bits: 8
 Stop bits: 1
 Parity: None

Assuming your PC’s serial port is COM1, if you use Putty and Windows, you can set the session
up like this (under the “Serial” options in the menu):

Once your cable is connected and the session is set up, click open. Then press enter to get a
response at the terminal window.

Step 2: Set a management IP and default gateway

The management IP address is where you can log in to the switch for future administrative
tasks. Once your management IP is set up, you can use it to SSH into the switch and configure
it over the network.
First, we access Privileged EXEC mode with the “enable” switch configuration command:

Switch>enable
Switch#

From there, we enter Global Configuration mode with “config t” (or “configure terminal”):

Switch#config t
[Enter configuration commands, one per line. End with “CNTL/Z”.]
Switch(config)#

Next, we access the VLAN interface:

Switch(config)#interface vlan 1
Switch(config-if)#

Now, we can assign the management IP and subnet. In this example, we will assign
10.10.11.11 with a 255.255.255.0 subnet. Be sure to replace this with the correct values
for your switch!

Switch(config-if)#ip address 10.10.11.11 255.255.255.0

Switch(config-if)#

We can exit interface configuration mode and assign a default gateway for the switch from
global configuration mode.

Switch(config-if)#exit
Switch(config)#ip default-gateway 10.10.11.1
Switch(config)#

Step 3: Set hostname and domain name

In addition to setting the IP address of the switch, you should give it a logical hostname. To do
that, we enter global configuration mode and use the hostname command:

Switch(config)#hostname S1
S1(config)#

Similarly, we can also add a domain name with the domain command:
S1(config)#ip domain-name jm.local
S1(config)#

Step 4: Set logins on VTY lines and console port

Strong passwords are an important part of hardening a managed switch, so next we’ll add a
password to all virtual terminal (VTY) lines. Our switch has 16 VTY lines which are used for
remote access, so we’ll configure the entire range from 0-15:

S1(config)#line vty 0 15
S1(config-line)#password BigSecretDon'tT3ll@ny1
S1(config-line)#

Next, we’ll exit the VTY configuration, access console line 0, and assign it a separate password:

S1(config-line)#exit
S1(config)#line console 0
S1(config-line)#password BigSecretForConsoleDon'tT3ll@ny1
S1(config-line)#

Step 5: Set Privileged EXEC password

In addition to password protecting the VTY and console lines, we can and should protect
Privileged EXEC mode with a password.

We can do that from global configuration mode:

S1(config-line)#exit
S1(config)#enable secret Top$ecretPrivEXECpassWORD
S1(config)#

Note: Because switch security is a complex topic, and we’re focused on the basics, we won’t go
into  user management  here. However, be sure to properly configure users or remote
authentication servers before a production deployment.

Step 6: Enable SSH

At some point, you’ll find yourself in need of access to your network devices, and you’re not
physically in the same room as them. To access a switch’s CLI over the network, you’ll need to
use Telnet or SSH. From a security perspective, Telnet is usually a non-starter because data is
transmitted in plaintext. That leaves us with SSH.
The first step to enabling SSH is generating the RSA keys:

S1(config)#crypto key generate rsa

The name for the keys will be: S1.jm
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys.
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [2048]:

% Generating 2048-bit RSA keys, keys will be non-exportable...[OK]

S1(config)#

Next, we’ll set the SSH version to 2:

S1(config)#ip ssh version 2

*Mar 4 7:4:9.374: %SSH-5-ENABLED: SSH 1.99 has been enabled
S1(config)#

Now, we can set SSH up on specific VTY lines. I’ll use the first 6 lines here:

S1(config)#line vty 0 5
S1(config-line)#transport input ssh

Finally, we’ll tell the switch to check the local users’ database to authenticate users:

S1(config-line)#login local
S1(config-line)#

Step 7: Create VLANs

One of the most obvious reasons to use a managed switch is the ability to create VLANs to
separate network segments. We can do that by using the vlan  command, and then assigning
our VLAN a name. For example, to create VLAN 2 and name it “staff”:

S1(config-line)#vlan 2
S1(config-vlan)#name staff
S1(config-vlan)#

You can now exit, and repeat these steps for as many VLANs as you need.

Step 8: Add access ports to a VLAN

After we create our VLANs, we can add ports to them. For example, to add ports 5, 6, and 7 as
access ports in VLAN 2, we can use these switch configuration commands:

S1(config-vlan)#exit
S1(config)#interface range fast
S1(config)#interface range fastEthernet 0/5-7
S1(config-if-range)#switchport mode access
S1(config-if-range)#switchport access vlan 2
S1(config-if-range)#

Step 9: Configure trunk ports

If you need one port to transmit traffic from multiple VLANs, you’ll need to designate it a “trunk
port”. To make a port a trunk port, we simply access its configuration and set the mode to
trunk. For example, to make port 2 on our switch a trunk port:

S1(config-if-range)#exit
S1(config)#interface fastEthernet 0/2
S1(config-if)#switchport mode trunk
S1(config-if)#

Step 10: Save configuration

When our configuration is complete, we can save our changes to the startup configuration.
Don’t forget this step, or all your work will be gone come the next switch reboot!

S1(config-if)#exit
S1(config)#exit
S1#
%SYS-5-CONFIG_I: Configured from console by console

S1#copy running-config startup-config

Destination filename [startup-config]?
Building configuration...
[OK]
S1#

A Summary of CISCO IOS Commands;

 Almost all Cisco devices use Cisco IOS to operate and Cisco CLI to be managed. The basic
CLI commands for all of them are the same, which simplifies Cisco device management.
Here is a Cisco commands cheat sheet that describes the basic commands for configuring,
securing and troubleshooting Cisco network devices.

Basic Configuration Commands

Command  Purpose

enable Logs you into enable mode, which is also

known as user exec mode or privileged
mode

configure terminal Logs you into configuration mode

interface fastethernet/number Enters interface configuration mode for

the specified fast ethernet interface

reload An exec mode command that reboots a

Cisco switch or router

hostname name Sets a host name to the current Cisco

network device

copy from-location to-location An enable mode command that copies

files from one file location to another
copy running-config startup-config An enable mode command that saves
the active config, replacing the startup
config when a Cisco network device
initializes

copy startup-config running-config An enable mode command that merges

the startup config with the currently
active config in RAM

write erase An enable mode command that deletes

the startup config
erase startup-config

ip address ip-address mask Assigns an IP address and a subnet

mask

shutdown Used in interface configuration mode.

“Shutdown” shuts down the interface,
no shutdown while “no shutdown” brings up the
interface.

ip default-gateway ip_address Sets the default gateway on a Cisco

device

show running-config An enable mode command that displays

the current configuration

description name-string A config interface command to describe

or name an interface

show running-config interface interface An enable mode command to display the

slot/number running configuration for a specific
interface

show ip interface [type number] Displays the usability status of interfaces

that are configured for IP

ip name-server serverip-1 serverip-2 A configure mode command that sets

the IP addresses of DNS servers
 

Troubleshooting Commands

ping {hostname  | system-address} Used in enable mode to diagnose basic

[source source-address] network connectivity

speed {10 | 100 | 1000 | auto} An interface mode command that

manually sets the speed to the specified
value or negotiates it automatically

duplex {auto | full | half} An interface mode command that

manually sets duplex to half, full or auto

cdp run A configuration mode command that

enables or disables Cisco Discovery
no cdp run Protocol (CDP) for the device

show mac address-table Displays the MAC address table

show cdp Shows whether CDP is enabled globally

show cdp neighbors[detail] Lists summary information about each

neighbor connected to this device; the
“detail” option lists detailed information
about each neighbor

show interfaces Displays detailed information about

interface status, settings and counters

show interface status Displays the interface line status

show interfaces switchport Displays a large variety of configuration

settings and current operational status,
including VLAN trunking details.
show interfaces trunk Lists information about the currently
operational trunks and the VLANs
supported by those trunks

show vlan Lists each VLAN and all interfaces

assigned to that VLAN but does not
show vlan brief include trunks

show vtp status Lists the current VTP status, including

the current mode

Routing and VLAN Commands

ip routenetwork-number network-mask {ip- Sets a static route in the IP routing table

address | interface}

router rip Enables a Routing Information Protocol

(RIP) routing process, which places you
in router configuration mode

network ip-address In router configuration mode, associates

a network with a RIP routing process

version 2 In router configuration mode, configures

the software to receive and send only
RIP version 2 packets

no auto-summary In router configuration mode, disables

automatic summarization

default-information originate In router configuration mode, generates

a default route into RIP

passive-interface interface In router configuration mode, sets only

 that interface to passive RIP mode. In
passive RIP mode, RIP routing updates
are accepted by, but not sent out of, the
specified interface.

show ip rip database Displays the contents of the RIP routing

database

ip nat [inside |  outside] An interface configuration mode

command to designate that traffic
originating from or destined for the
interface is subject to NAT

ip nat inside source {list{access-list- A configuration mode command to

number |  access-list-name}}  interface  type establish dynamic source translation.
number[overload] Use of the “list” keyword enables you to
use an ACL to identify the traffic that will
be subject to NAT. The “overload” option
enables the router to use one global
address for many local addresses.

ip nat inside source static local-ip global- A configuration mode command to

ip establish a static translation between an
inside local address and an inside global
address

vlan Creates a VLAN and enters VLAN

configuration mode for further
definitions

switchport access vlan Sets the VLAN that the interface belongs
to.

switchport trunk encapsulation dot1q Specifies 802.1Q encapsulation on the

trunk link.

switchport access Assigns this port to a VLAN

vlan vlan-id [name vlan-name] Configures a specific VLAN name (1 to

32 characters)
switchport mode { access | trunk  } Configures the VLAN membership mode
of a port. The access port is set to
access unconditionally and operates as a
non-trunking, single VLAN interface that
sends and receives non-encapsulated
(non-tagged) frames. An access port can
be assigned to only one VLAN.
The trunk port sends and receives
encapsulated (tagged) frames that
identify the VLAN of origination. A trunk
is a point-to-point link between two
switches or between a switch and a
router.

switchport trunk {encapsulation { dot1q } Sets the trunk characteristics when the

interface is in trunking mode. In this
mode, the switch supports simultaneous
tagged and untagged traffic on a port.

encapsulation dot1q vlan-id A configuration mode command that

defines the matching criteria to map
802.1Q frames ingress on an interface to
the appropriate service instance

DHCP Commands

ip address dhcp A configuration mode command to

acquire an IP address on an interface via
DHCP

ip dhcp pool name A configuration mode command to

configure a DHCP address pool on a
DHCP server and enter DHCP pool
configuration mode

domain-name domain Used in DHCP pool configuration mode

to specify the domain name for a DHCP
 client

network network-number  [mask] Used in DHCP pool configuration mode

to configure the network number and
mask for a DHCP address pool primary
or secondary subnet on a Cisco IOS
DHCP server

ip dhcp excluded-address ip- A configuration mode command to

address  [last-ip-address] specify IP addresses that a DHCP server
should not assign to DHCP clients

ip helper-address address An interface configuration mode

command to enable forwarding of UDP
broadcasts, including BOOTP, received
on an interface

default-router address[address2 ... Used in DHCP pool configuration mode

address8] to specify the default router list for a
DHCP client

Security Commands

passwordpass-value Lists the password that is required if

the login command (with no other
parameters) is configured

username name password pass-value A global command that defines one of

possibly multiple user names and
associated passwords used for user
authentication. It is used when the login
local line configuration command has
been used.

enable password pass-value A configuration mode command that

defines the password required when
 using the enable command

enable secretpass-value A configuration mode command that sets

this Cisco device password that is
required for any user to enter enable
mode

service password-encryption A configuration mode command that

directs the Cisco IOS software to encrypt
the passwords, CHAP secrets, and
similar data saved in its configuration file

ip domain-name name Configures a DNS domain name 

crypto key generate rsa A configuration mode command that

creates and stores (in a hidden location
in flash memory) the keys that are
required by SSH

transport input {telnet | ssh} Used in vty line configuration mode,

defines whether Telnet or SSH access is
allowed into this switch. Both values can
be specified in a single command to
allow both Telnet and SSH access
(default settings).

access-list access-list-number  {deny | A configuration mode command that

permit} source [source-wildcard] [log] defines a standard IP access list

access-class Restricts incoming and outgoing

connections between a particular vty
(into a basic Cisco device) and the
addresses in an access list

ip access-list {standard |  extended} A configuration mode command that

{access-list-name  | access-list-number} defines an IP access list by name or
number

permit source [source-wildcard] Used in ACL configuration mode to set

conditions to allow a packet to pass a
 named IP ACL. To remove a permit
condition from an ACL, use
the “no” form of this command.

deny source [source-wildcard] Used in ACL configuration mode to set

conditions in a named IP ACL that will
deny packets. To remove a deny
condition from an ACL, use
the “no” form of this command.

ntp peer <ip-address> Used in global configuration mode to

configure the software clock to
synchronize a peer or to be synchronized
by a peer

switchport port-security Used in interface configuration mode to

enable port security on the interface

switchport port-security Used in interface configuration mode to

maximum maximum set the maximum number of secure MAC
addresses on the port

switchport port-security mac- Used in interface configuration mode to

address {mac-addr  | {sticky [mac-addr]}}  add a MAC address to the list of secure
MAC addresses. The “sticky” option
configures the MAC addresses as sticky
  on the interface.

switchport port-security Used in interface configuration mode to

violation {shutdown |  restrict |  protect} set the action to be taken when a
security violation is detected

show port security [interface interface-id] Displays information about security

options configured on the interface

Monitoring and Logging Commands

logging ip address Configures the IP address of the host
that will receive the system logging
(syslog) messages

logging trap level Used in configuration mode to limit

messages that are logged to the syslog
servers based on severity. Specify the
number or name of the desired severity
level at which messages should be
logged.

show logging Enable mode command that displays the

state of system logging (syslog) and the
contents of the standard system logging
buffer.

terminal monitor An enable mode command that tells

Cisco IOS to send a copy of all syslog
messages, including debug messages, to
the Telnet or SSH user who issues this
command