The company you work for acquires a new client. The site is expanding and the ramp-up will happen within the next three days. As a Network Engineer you are tasked to install a new switch, create the client VLANs, have Systems build DHCP, assign the access ports and test the machines before going live. This article serves as an easy and quick guide on how to carry out the Cisco Switch Configuration.
Cisco Switch Configuration: Device Hardware
First thing you would want to know is the manufacturer and model of the switch you will be using assuming your company buys a new one or the client provides their own device (ex: Cisco 2960, Cisco 3750, etc.). If you are using a spare, it is best practice to check the device hardware and existing cables connected to it for any damages.
First, power on the switch and verify that all the indicator lights are working fine. Then, you will need to console into the device. Using a rollover cable, console into the switch from your computer. You will need to download and install Putty for this or use whichever tool you prefer.
Run Putty and select serial connection with 9600 speed. Once you are connected to the switch, it’s important that you run and carefully check the output of the following commands:
- show version
- show running-config
- show vlan brief
- show vtp status
For spare switches, make sure to delete the flash:vlan.dat file to erase the previous VLAN configuration.
Setup Management IP
It’s optional not to change the hostname of the switch but most companies follow a standard naming convention for organization and management purposes. So, set the device hostname depending on the naming assignment that your company is implementing and then assign an ip address on the management VLAN. Next, make sure the switch has a hostname and domain-name set properly.
(config)# ip domain-name routerfreak.com (config)# hostname Switch01 (config)# interface Vlan1 (config)# description Management Vlan (config)# ip address 192.168.101.1 255.255.255.0
Checking VTP Revision Number
IMPORTANT: Always check if the existing connected switches are using VTP (Virtual Trunking Protocol) and check their revision numbers. Do this with the show vtp status command.
By default, a new switch will have a VTP revision number of zero. The VTP revision number determines which updates are to be used in a VTP Domain. When you set a VTP Domain Name, the revision number is set to zero after which each change to the VLAN database increases the revision number by one. A switch will only process a data from a neighboring switch coming from the same domain and if the revision number of the neighboring switch is higher than its own.
This means that the switches will update their VLAN configuration based on the VTP information being sent by the switch with the highest revision number.
So, make sure that the switch will have a revision number of zero before adding it to the network. Failing to do so will cause serious impact to the operation of the network. You can easily reset the revision number by changing the VTP Domain Name to something else and then changing it back.
Tip: you can change the mode to transparent and then change the domain to reset it back to zero.
On config mode issue the commands:
vtp [client | server | transparent] vtp domain name
Access Ports Configuration
It’s time to enable the access ports. Your organization should already have a template ready for access port configuration – but just in case you don’t, these are a few of the commands you should use:
Access port configuration example:
description *** DESCRIPTION *** switchport access vlan ### switchport mode access power inline consumption ### queue-set 2 mls qos trust dscp storm-control multicast level 50.00 no cdp enable spanning-tree portfast spanning-tree bpduguard enable
Port configuration depends on the setup required by the workstations. The example above is mainly used data access with softphones. Workstations using Avaya hardphones or Cisco phones are also configured differently.
Configure the trunk ports
Newer switches don’t support ISL anymore. Enter the command sh int g0/1 capabilities and check the trunking protocol supported. If ISL is supported you have to issue the switchport trunk encapsulation dot1q on the trunk port configuration. If not, simply type switchport mode trunk. It means there is no other encapsulation supported so there is no need for an encapsulation command. It only supports 802.1Q.
You can use this sample config for your trunk configurations:
interface GigabitEthernet1/0/1 description *** UPLINK *** switchport trunk encapsulation dot1q switchport mode trunk speed 1000 duplex full
Configuring SSH Access
Earlier, we performed basic network configurations on the switch, like setting up the management ip, assigning hostname and the domain name.
A switch requires RSA keys that it will use during the SSH process. So, generate these using crypto commands as shown below:
Switch01(config)# crypto key generate rsa The name for the keys will be: Switch01.routefreak.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Setup VTY Line Config
# line vty 0 4 (config-line)# transport input ssh (config-line)# login local (config-line)# password routerfreak (config-line)# exit
If you have not set the console line yet, you can easily input these values:
# line console 0 (config-line)# logging synchronous (config-line)# login local
Set the enable password using the enable secret password command. Then, set the privilege exec password with username name privilege 15 secret password.
Make sure that the password-encryption service is activated. This will encrypt the password.
Switch01# service password-encryption
Verify SSH access by typing in ‘sh ip ssh’, this will confirm that the SSH is enabled on the Cisco device.
You can now try to login from a remote machine to verify that you can ssh to the Cisco switch.
remote-computer# ssh 192.168..101.1 Login as: username Password: Switch01>en Password: Switch01#
Exit and disable to verify that the new access is working before you setup TACACS.
Save the configuration:
copy running-config startup-config.
Setup AAA and TACACS
AAA works together with TACACS in managing your device login security.
For the final steps: test access, reload the switch, ready the cables and label the switch.
That’s it! Time to rack it up!